Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Collaboration-x64.exe

Overview

General Information

Sample name:Collaboration-x64.exe
Analysis ID:1590179
MD5:335fe577cfcd7c2e3d62ca7ae6c92b8f
SHA1:e025f1c339ac4f39134283cb7dff0a2b48e5be6b
SHA256:7b999bd912a71a10f056eb8052a0475efdff781a15b94606138c6525c60665cb
Infos:

Detection

Score:57
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:36
Range:0 - 100

Signatures

Drops large PE files
Excessive usage of taskkill to terminate processes
Modifies the windows firewall
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Suspicious Schtasks Execution AppData Folder
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • Collaboration-x64.exe (PID: 4476 cmdline: "C:\Users\user\Desktop\Collaboration-x64.exe" MD5: 335FE577CFCD7C2E3D62CA7AE6C92B8F)
    • netsh.exe (PID: 1852 cmdline: netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SetupWIService.exe (PID: 2416 cmdline: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true MD5: A7046C3136192E6E7B5180728B3B3B49)
      • cmd.exe (PID: 2000 cmdline: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 1144 cmdline: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 6120 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3328 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 4900 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3688 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 6204 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3248 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 5124 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 2568 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 7140 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 5984 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 2996 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3328 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 4228 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 2104 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 3408 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 3868 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 7140 cmdline: taskkill /F /IM WildixOutlookSync64.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • RegAsm.exe (PID: 5444 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm" "C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll" /silent /codebase MD5: A4EB36BAE72C5CB7392F2B85609D4A7E)
        • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SetupWIService.exe (PID: 2792 cmdline: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true MD5: A7046C3136192E6E7B5180728B3B3B49)
    • cmd.exe (PID: 6760 cmdline: cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2128 cmdline: schtasks /delete /TN "Wildix\WIService failed update recovery" /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7084 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3408 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 3248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 5652 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 1060 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5244 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 5312 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2540 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3168 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3588 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 5168 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5124 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 4456 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6072 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 428 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2112 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 2256 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 732 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 2688 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5024 cmdline: taskkill /F /IM WildixOutlookSync64.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • wiservice.exe (PID: 2324 cmdline: "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter MD5: D62710F3678538E483FFC7EA112D7F68)
    • Conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SetupWIService.exe (PID: 5700 cmdline: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S MD5: A7046C3136192E6E7B5180728B3B3B49)
    • cmd.exe (PID: 5440 cmdline: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3176 cmdline: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 3400 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5196 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1888 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3320 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3520 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6368 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 2648 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3168 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3900 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 1144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5404 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 4324 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5244 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 6388 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1888 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • Conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1284 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2996 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 4228 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4544 cmdline: taskkill /F /IM WildixOutlookSync64.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 4248 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 1888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • spoolsv.exe (PID: 3912 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true, ParentImage: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe, ParentProcessId: 2416, ParentProcessName: SetupWIService.exe, ProcessCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 2000, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true, ParentImage: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe, ParentProcessId: 2416, ParentProcessName: SetupWIService.exe, ProcessCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 2000, ProcessName: cmd.exe
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2000, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 1144, ProcessName: schtasks.exe
Sigma detected: Suspicious Schtasks Execution AppData Folder
Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2000, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 1144, ProcessName: schtasks.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files\Wildix\WIService\WIService.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe, ProcessId: 2792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIService
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2000, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 1144, ProcessName: schtasks.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_531231b4-7
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: netsh.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: C:\Users\user\AppData\Local\wildix-collaboration-updater\installer.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: netsh.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: C:\Users\user\AppData\Local\wildix-collaboration-updater\installer.exeJump to behavior
Uses 32bit PE files
Source: Collaboration-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Creates a directory in C:\Program Files
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\uninstallerIcon.icoJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_100_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_200_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\icudtl.datJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSES.chromium.htmlJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\snapshot_blob.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\v8_context_snapshot.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.jsonJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\localesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\af.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\am.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ar.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bg.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ca.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\cs.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\da.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\de.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\el.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-GB.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-US.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es-419.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\et.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fa.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fil.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\gu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\he.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\id.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\it.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ja.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\kn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ko.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lt.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ml.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\mr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ms.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nb.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-BR.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-PT.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ro.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ru.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sw.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ta.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\te.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\th.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\tr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\uk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ur.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\vi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-CN.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-TW.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resourcesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\app.asarJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\elevate.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modulesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regeditJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\JsonSafeTest.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regCreateKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regDeleteKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regList.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regListStream.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regPutValue.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regUtil.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\util.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Uninstall Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\x-bees.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\faxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\imgprint.gpdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDNAMES.GPDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.HLPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resources\cdr.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix-oi.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifestJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.vstoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.configJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\proxyex.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfu
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfu
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exe
Creates a software uninstall entry
Source: C:\Users\user\Desktop\Collaboration-x64.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\44138925-f2ba-545d-a77a-222326161a05Jump to behavior
Creates license or readme file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
PE / OLE file has a valid certificate
Source: Collaboration-x64.exeStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile opened: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Collaboration-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: D3DCompiler_47.pdb source: Collaboration-x64.exe, 00000000.00000003.2028728205.0000000005107000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\asn1\x_info.ccrypto\pem\pem_info.ccrypto\ocsp\ocsp_lib.c0 source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb: source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.2033867466.0000000002A3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.2030038197.000000000510C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\electron.exe.pdb source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: Collaboration-x64.exe, 00000000.00000003.2028728205.0000000005107000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2047863312.0000000005101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\projects\serilog-sinks-console\src\Serilog.Sinks.Console\obj\Release\net45\Serilog.Sinks.Console.pdbP source: Serilog.Sinks.Console.dll.7.dr
Source: Binary string: C:\projects\serilog-sinks-console\src\Serilog.Sinks.Console\obj\Release\net45\Serilog.Sinks.Console.pdb source: Serilog.Sinks.Console.dll.7.dr
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_00406873 FindFirstFileW,FindClose,7_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_0040290B FindFirstFileW,7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_00406873 FindFirstFileW,FindClose,13_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_0040290B FindFirstFileW,13_2_0040290B
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository100.
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cldr.unicode.org/index/downloads
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/python-gflags/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/smhasher/
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gds1-20
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dev.w3.org/2006/webapi/XMLHttpRequest-2/Overview.html#the-formdata-interface
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://developer.android.com/tools/extras/support-library.html
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://example.org/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/common
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/commonnode-set..
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://form-data.github.io/images/gitterbadge.svg)
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.github.io/snappy/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icl.com/saxon
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://narwhaljs.org)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org/images/logo.png
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.apple.com/HDRGainMap/1.0/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.apple.com/pixeldatainfo/1.0/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.google.com/photos/1.0/container/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.google.com/photos/1.0/container/item/
Source: Collaboration-x64.exe, 00000000.00000000.1807170447.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetupWIService.exe, 00000007.00000000.2168944534.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000000.2176945565.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000000.2199640317.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040A000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/0J
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://placehold.it/32x32
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s..
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://service.com/upload
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/compatibility)
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://subca.ocsp-certum.com05
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://substack.net
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tukaani.org/xz/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tukaani.org/xz/>.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://valgrind.org
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://website-archive.mozilla.org/www.mozilla.org/mpl/MPL/NPL/1.1/):
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://wpad/wpad.dat
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://wpad/wpad.dat..
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/legal/guidelinesfor3rdparties.html.
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: http://www.certum.pl/CPS0
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.finesse.demon.co.uk/steven/sqrt.html.
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.futurealoof.com)
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jclark.com/xt
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.justmoon.net)
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/NPL/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.apple.com/apsl/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pertinentdetail.org/sqrt
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ploscompbiol.org/static/license
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.polymer-project.org
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.portaudio.com
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.softsynth.com
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html>
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.webrtc.org
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxsl:key
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/xsltNewExtDef
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://zlib.net/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://android.com/pay
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/setupdesign/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/uploadhttps://beacons.gvt2.com/domainreliability/uplo
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3rpDuEX.
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3rpDuEX.WebBundleURLLoaderFactory::OnResponseParsedInvalid
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/audio-worklet)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/audio-worklet)ScriptProcessorHandler::ProcessScriptProcessorHandler::Process
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.android.clients.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.bigcache.googleapis.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.doc-0-0-sj.sj.googleusercontent.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.docs.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.drive.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.googlesyndication.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.pack.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.play.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.youtube.com/
Source: Collaboration-x64.exe, 00000000.00000003.2097865932.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=am&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2097865932.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098690448.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2115138291.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098274265.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2114788244.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/external/github.com/intel/tinycbor.git
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ci.appveyor.com/project/alexindigo/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#clear
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#table
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coveralls.io/github/form-data/form-data?branch=master)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908.
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908.The
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908Changing
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1154140
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1429681
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119..
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/v8/7848
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://david-dm.org/form-data/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/Script
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/android/guides/setup
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://example.org
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://example.orgExpired
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gcp.gvt2.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gcp.gvt6.com/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Cyan4973/xxHash
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/PortAudio/portaudio/tree/master/src/common
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WICG/scheduling-apis
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebAssembly/wasm-c-api/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.md
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/aawc/unrar.git
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/brailcom/speechd
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/supports-color
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dpranke/typ.git
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/fast-deep-equal#readme
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/fast-deep-equal.git
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/fast-json-stable-stringify
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/etingof/pyasn1
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/facebook/zstd
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-combined-stream/blob/master/lib/combined_stream.js#L7-L15)
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/distributed_point_functions
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/private-join-and-compute
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/protobuf
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/re2
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ruy
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/securemessage
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/sentencepiece
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/shell-encryption
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ukey2
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/wicked-good-xpath
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/woff2
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/xnnpack
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-status
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailed
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/intel/libva
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/color-support.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/justmoon/node-extend.git
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/kevva
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/pull/2025.
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ljharb
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mafintosh/pump
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mathiasbynens/emoji-regex.git
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mikeal/forever-agent
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mysticatea/abort-controller
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/32887
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35941
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/44004#discussion_r930958420
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/nodejs/node/pull/48477#issuecomment-1604586650
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/request/request)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/request/request):
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/requests/toolbelt
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/simplejson/simplejson
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/sindresorhus
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/models
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tensorflow
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/text.git
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tflite-support
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/test262-utils/test262-harness-py
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/wasdk/wasmparser
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/xiph/rnnoise
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/zeux/volk
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/zorkow/speech-rule-engine
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gitter.im/form-data/form-data
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gitter.im/form-data/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimX
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXAccess
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXOrigin
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXgetDescriptor(s)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXreadValue()
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXwriteValue()
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLu
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLuThe
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLuWebAudio.AutoplayWebAudio.Autoplay.CrossOriginWebAudio.Autoplay.UnlockType..
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/EuHzyv
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQ
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQOrigin
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQrequestDevice()
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/J6ASzs
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/J6ASzsBluetooth
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/rStTGz
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/t5IS6M).
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/xX8pDD
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/xX8pDDplay()
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/ximf56
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/ximf56Iframe
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-analytics.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/pay
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googlevideo.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt1.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt2.com/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt6.com/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cpp
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequently
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/appveyor/ci/alexindigo/form-data/master.svg?label=windows:4.x-9.x)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/coveralls/form-data/form-data/master.svg?label=code
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/david/form-data/form-data.svg)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/npm/v/form-data.svg)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/travis/form-data/form-data/master.svg?label=linux:4.x-9.x)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/travis/form-data/form-data/master.svg?label=macos:4.x-9.x)
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mths.be/emoji
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mths.be/emoji-regex
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://no-color.org/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/fs.html
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/download/release/v20.9.0/node-v20.9.0-headers.tar.gz
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/download/release/v20.9.0/node-v20.9.0.tar.gz
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/download/release/v20.9.0/node-v20.9.0.tar.gzhttps://nodejs.org/download/release/v
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/download/release/v20.9.0/win-x64/node.lib
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://opensource.apple.com/source/xnu/
Source: Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.com
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, fr.pak.0.drString found in binary or memory: https://passwords.google.comCompte
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pay.google.com/authentication
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/billing
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/billinghttps://google.com/payhttps://android.com/payhttps://pay.google.com/a
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://polymer-library.polymer-project.org
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/pyparsing
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/six/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/WebOb/1.5.0a0
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/pyfakefs
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/webapp2
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://quiche.googlesource.com/quiche
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2116585951.000000000510D000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1889163010.0000000006160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com)
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/site/gaviotachessengine/Home/endgame-tablebases-1
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sizzlejs.com/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://skia.org/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://source.corp.google.com/piper///depot/google3/third_party/tamachiyomi/README.md
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sourcemaps.info/spec.html
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2097865932.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098690448.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099003713.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099989651.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2115138291.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098274265.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2114788244.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2097865932.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098690448.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099003713.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099989651.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2115138291.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098274265.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2114788244.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1888904412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://travis-ci.org/form-data/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#url
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://v8.dev/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/manifest/#installability-signals
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/manifest/#installability-signalsVideoFrameProviderClientImpl::StartRenderingVi
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webassembly.github.io/spec/web-api
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webkit.org/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webrtc.googlesource.com/src/
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wicg.github.io/entries-api/#dom-htmlinputelement-webkitdirectory).
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, elevate.exe.0.drString found in binary or memory: https://wildix.com/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bithound.io/github/form-data/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bithound.io/github/form-data/form-data/badges/score.svg)
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/characteristics
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/descriptors
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/services
Source: Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drString found in binary or memory: https://www.certum.pl/CPS0
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/4664843055398912
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5093566007214080
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5093566007214080ErrorEventInitG
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5636954674692096
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5644273861001216.
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5682658461876224.
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5718547946799104
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/6662647093133312
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/6662647093133312InputDeviceCapabilities
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromium.org
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.khronos.org/registry/
Source: Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/form-data)
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.strongtalk.org/
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.unicode.org/copyright.html.
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405461
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_7624f589-d
Source: cmd.exeProcess created: 62

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile dump: Wildix Collaboration.exe.0.dr 176619800Jump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile dump: Wildix Collaboration.exe0.0.dr 176619800Jump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,13_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\CachesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile deleted: C:\Windows\Temp\nsrFD7.tmpJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00406B150_2_00406B15
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004072EC0_2_004072EC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00404C9E0_2_00404C9E
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_0040755C7_2_0040755C
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_00406D857_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_0040755C13_2_0040755C
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_00406D8513_2_00406D85
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeCode function: 99_2_00007FFD9BB71A7799_2_00007FFD9BB71A77
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeCode function: 99_2_00007FFD9BB7127899_2_00007FFD9BB71278
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: String function: 00402DA6 appears 52 times
Source: UNIRES.DLL.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: UNIRES.DLL.7.drStatic PE information: Resource name: None type: COM executable for DOS
Source: Wildix Collaboration.exe.0.drStatic PE information: Number of sections : 14 > 10
Source: Wildix Collaboration.exe0.0.drStatic PE information: Number of sections : 14 > 10
Source: UC.dll.7.drStatic PE information: No import functions for PE file found
Source: UNIRES.DLL.7.drStatic PE information: No import functions for PE file found
Source: Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJ vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJ vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.2033867466.0000000002A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibEGL.dllb! vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.2047863312.0000000005101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.2034649127.0000000005100000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.2028728205.0000000005107000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1894090122.0000000006046000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs Collaboration-x64.exe
Source: Collaboration-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: UNIRES.DLL.7.drStatic PE information: Section .rsrc
Source: classification engineClassification label: mal57.evad.winEXE@235/163@4/0
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,13_2_0040352D
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404722
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\wildix-collaboration-updaterJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Users\user\Desktop\Collaboration-x64.exeMutant created: \Sessions\1\BaseNamedObjects\44138925-f2ba-545d-a77a-222326161a05
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2024:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsu7F6E.tmpJump to behavior
Source: Collaboration-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile read: C:\Users\user\Desktop\Collaboration-x64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Collaboration-x64.exe "C:\Users\user\Desktop\Collaboration-x64.exe"
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm" "C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll" /silent /codebase
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Program Files\Wildix\WIService\wiservice.exe "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter
Source: unknownProcess created: C:\Windows\System32\spoolsv.exe C:\Windows\System32\spoolsv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=trueJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm" "C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll" /silent /codebaseJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Program Files\Wildix\WIService\wiservice.exe "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinterJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Program Files\Wildix\WIService\wiservice.exe "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinterJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Desktop\Collaboration-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Uninstall.lnk.13.drLNK file: ..\..\..\..\..\..\..\Program Files\Wildix\WIService\UninstallWIService.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Wildix.AddInJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\uninstallerIcon.icoJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_100_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_200_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\icudtl.datJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSES.chromium.htmlJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\snapshot_blob.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\v8_context_snapshot.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.jsonJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\localesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\af.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\am.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ar.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bg.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ca.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\cs.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\da.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\de.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\el.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-GB.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-US.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es-419.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\et.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fa.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fil.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\gu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\he.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\id.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\it.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ja.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\kn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ko.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lt.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ml.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\mr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ms.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nb.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-BR.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-PT.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ro.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ru.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sw.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ta.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\te.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\th.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\tr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\uk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ur.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\vi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-CN.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-TW.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resourcesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\app.asarJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\elevate.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modulesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regeditJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\JsonSafeTest.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regCreateKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regDeleteKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regList.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regListStream.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regPutValue.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regUtil.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\util.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Uninstall Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\x-bees.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\faxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\imgprint.gpdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDNAMES.GPDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.HLPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resources\cdr.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix-oi.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifestJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.vstoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.configJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\proxyex.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfu
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfu
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exe
Source: C:\Users\user\Desktop\Collaboration-x64.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\44138925-f2ba-545d-a77a-222326161a05Jump to behavior
Source: Collaboration-x64.exeStatic PE information: certificate valid
Source: Collaboration-x64.exeStatic file information: File size 104457632 > 1048576
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile opened: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: Collaboration-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: D3DCompiler_47.pdb source: Collaboration-x64.exe, 00000000.00000003.2028728205.0000000005107000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\asn1\x_info.ccrypto\pem\pem_info.ccrypto\ocsp\ocsp_lib.c0 source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb: source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.2033867466.0000000002A3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.2030038197.000000000510C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\electron.exe.pdb source: Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: Collaboration-x64.exe, 00000000.00000003.2028728205.0000000005107000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2047863312.0000000005101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1902299152.0000000006020000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\projects\serilog-sinks-console\src\Serilog.Sinks.Console\obj\Release\net45\Serilog.Sinks.Console.pdbP source: Serilog.Sinks.Console.dll.7.dr
Source: Binary string: C:\projects\serilog-sinks-console\src\Serilog.Sinks.Console\obj\Release\net45\Serilog.Sinks.Console.pdb source: Serilog.Sinks.Console.dll.7.dr
Source: Newtonsoft.Json.dll.7.drStatic PE information: 0xDFF1C7F1 [Fri Jan 21 16:48:49 2089 UTC]
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: vulkan-1.dll0.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll0.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll0.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .gxfg
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .retplne
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .rodata
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: CPADinfo
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: LZMADEC
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: malloc_h
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .gxfg
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .retplne
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .rodata
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: CPADinfo
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: LZMADEC
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: malloc_h
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll0.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll0.0.drStatic PE information: section name: .retplne
Source: libEGL.dll0.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll0.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll0.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll0.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: _RDATA
Source: wiservice.exe.7.drStatic PE information: section name: _RDATA
Source: wfaxport.dll.7.drStatic PE information: section name: _RDATA
Source: WildixOutlookSync64.exe.7.drStatic PE information: section name: _RDATA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeCode function: 99_2_00007FFD9BD02552 push eax; iretd 99_2_00007FFD9BD02553
Source: msvcrt.dll.7.drStatic PE information: section name: .text entropy: 6.892055007396566
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Users\user\AppData\Local\Temp\nsbD58.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsf193E.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\UC.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsf193E.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsh1036.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\wiservice.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsh1036.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsh1036.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsf193E.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsf193E.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nsh1036.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix Collaboration.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIService\Uninstall.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WIServiceJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\spoolsv.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\spoolsv.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeMemory allocated: 2A1F96C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeMemory allocated: 2A1FB090000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeCode function: 99_2_00007FFD9BD0012C rdtsc 99_2_00007FFD9BD0012C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbD58.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nsf193E.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\UC.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nsf193E.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nsh1036.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nsh1036.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe TID: 3060Thread sleep count: 97 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe TID: 3796Thread sleep count: 77 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 984Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 2108Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 1608Thread sleep count: 190 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_00406873 FindFirstFileW,FindClose,7_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 7_2_0040290B FindFirstFileW,7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_00406873 FindFirstFileW,FindClose,13_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeCode function: 13_2_0040290B FindFirstFileW,13_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
Source: libGLESv2.dll.0.drBinary or memory string: VMware
Source: Collaboration-x64.exeBinary or memory string: <(xvmci
Source: libGLESv2.dll.0.drBinary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSDKVersion() < 27 && IsAdreno5xxOrOlder(functions)) || (!isMesa && IsMaliT8xxOrOlder(functions)) || (!isMesa && IsMaliG31OrOlder(functions))
Source: libGLESv2.dll.0.drBinary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: Collaboration-x64.exe, 00000000.00000003.2030038197.000000000510C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.00000000076D9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: Collaboration-x64.exe, 00000000.00000003.2030038197.000000000510C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: wiservice.exe, 00000066.00000002.2310136520.000001A9516C3000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 00000067.00000002.2339173168.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 00000067.00000003.2309376823.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 00000067.00000003.2310085373.00000000005FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Collaboration-x64.exeAPI call chain: ExitProcess graph end nodegraph_0-3551
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_7-3463
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_13-3463
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeCode function: 99_2_00007FFD9BD0012C rdtsc 99_2_00007FFD9BD0012C
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm" "C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll" /silent /codebaseJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: {}delete server {:#x}new {}x{} {}bpp framebufferdeleting old {}x{} {}bpp framebufferframebuffer size changed {}x{} -> {}x{}unsetting desktop {:#x}couldn't send ERROR messagecouldn't send auth result: %serror sending OK messagewrite timeoutInvalid Security Typeinvalid security type {}read error while receiving security typeclient gone while receiving security typerects data size mismatch ({})couldn't send encoded datacouldn't send raw datacouldn't send rect headercouldn't send update message headerclient gone while sending update message headercouldn't send message headersending {} rectsVNC main thread started SERVER: {:#08x}vnccouldn't send update message rect headerregister RFB encoding: code:{:#x} name:{}Encoding 0x%Xregister RFB message: code:{}couldn't initialize extensioncouldn't send protocol versionserver extension returned FALSE on connectregister RFB pseudo encoding: code:{:#x} name:{}PseudoEncoding 0x%Xclient RFB version: {}.{}invalid RFB clientcouldn't receive client protocol versionclient gone while receiving protocol versionusing auth type {}minor RFB version mismatchRFB version mismatch: server %d.%d, client %d.%dmajor RFB version mismatchcouldn't receive client init messageclient gone while initializingcouldn't send auth typeclient gone while sending auth typecouldn't create output threadcouldn't send server init messageclient gone while sending server init messageframebuffer size: {}x{}couldn't receive SetPixelFormat messageclient gone while receiving SetPixelFormat messagecouldn't receive client messageclient gone while receiving messagefix_color_map_entries is not supportedcouldn't FixColorMapEntries messageclient gone while receiving FixColorMapEntries messagerequested {}bpp pixel formatcouldn't recieve encoding typeclient gone while receiving encoding typecouldn't receive SetEncodings messageclient gone while receiving SetEncodings messageextension failed to process encoding {}recv encoding: {}enabling immediate_update extension for client {}enabling desktop_resize extension for client {}client gone while receiving FramebufferUpdateRequest messageunknown encoding type: {:#x}extension failed to process pseudo encoding {}recv pseudo encoding: {}presscouldn't receive KeyEvent messageclient gone while receiving KeyEvent messagecouldn't receive FrameBufferUpdateRequest messagecouldn't receive PointerEvent messageclient gone while receiving PointerEvent messagerecv key_event: keysym:{:#x} {}unpresscouldn't receive clipboard textclient gone while receiving clipboard textcouldn't receive CutText messageclient gone while receiving CutText messageextension failed to process message {}couldn't receive SetScaleFactor messageclient gone while receiving SetScaleFactor messagerecv clipboard: {}failed to deinit extensionserver extension returned FALSE on disconnectcouldn't join output threadunknown client message {}couldn't send extension dataclient gone while sending extension dataout vncVNC main thread EXIT SERVER: {:#08x}performing full fr
Source: Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007572000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman..\..\third_party\webrtc\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displaySysShadowWebRTC.DesktopCapture.Win.WindowGdiCapturerFrameTimeWindowCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\window_capturer_win_gdi.ccWindow hasn't been selected: Target window has been closed.Failed to get drawable window area: Failed to get window DC: Failed to create frame.Both PrintWindow() and BitBlt() failed.Capturing owned window failed (previous error/warning pertained to that)WebRTC.DesktopCapture.BlankFrameDetectedWebRTC.DesktopCapture.PrimaryCapturerSelectSourceErrorWebRTC.DesktopCapture.PrimaryCapturerErrorWebRTC.DesktopCapture.PrimaryCapturerPermanentErrordwmapi.dllDwmEnableCompositionScreenCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\screen_capturer_win_gdi.ccFailed to capture screen by GDI.WebRTC.DesktopCapture.Win.ScreenGdiCapturerFrameTimedesktop_dc_memory_dc_Failed to get screen rect.Failed to create frame buffer.Failed to select current bitmap into memery dc.BitBlt failed..\..\third_party\webrtc\modules\desktop_capture\win\cursor.ccCreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = `
Source: wiservice.exe, 00000066.00000002.2312815576.00007FF775561000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: couldn't create streamer iteration threadcouldn't join streamer iteration threadjoin streamer iteration threadstreamerC:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\wiservice\integrations\screen-sharing\Streamer.cppWD_REFM_OKWD_REFM_01streamer's pending connection couldn't complete in {}mswaiting for all connections to resolveinvalid wildix auth replywildix auth reply '{}' receivedwildix auth marker '{}' sentXauth failedcouldn't create socketconnecting to {}:{}seqid {:#x} does not match last sent PING request ({:#x})configinvalid peer '{}'%dserver connectedSHUTDOWNcouldn't reconnectE_SCREEN_SHARINGdisplayssetting 'display' parameter to '{}'put message on hold because user does not allow remote controlpongR_SCREEN_SHARINGcouldn't parse message JSONlaunching system process toolsetting 'app' parameter to '{}'setting 'control' parameter to '{}'pinginvalid commandseqidinvalid msgdataunrecognized command '{}'showprocesstoolgetconfigsetparametersdesktop recording is restrictedprocess pending parameters change requestlast iteration took {}ms{}:{}recreating desktop objectsecond lock took {}msdesktop update took {}msdesktop target check took {}msfirst lock took {}mssleep took {}msthird lock took {}msframebuffer update took {}msdesktop resize took {}msconnection goneserver screenupdate took {} msclosing server due to screen resizesize: {}x{}, desktop size: {}x{}exit loopreconnecting due to error, {} attempts left{}ms without PONG replies from clientWIService.DesktopNotifyC:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\wiservice\integrations\screen-sharing\utils\win\WinDesktopConfiguration.cppStarting desktop notifications loopProgmanFinishing desktop notifications loopDesktop configuration changedCouldn't create desktop notification window. CreateWindowExW() failed with error {}Generic PnP MonitorRefreshing desktop configurationRefreshing window configurationButtonNo HMONITOR found for supplied device index {}hilu
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeQueries volume information: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Outlook\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c\OFFICE.DLL VolumeInformation
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		311
Disable or Modify Tools		11
Input Capture		2
File and Directory Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		1
Deobfuscate/Decode Files or Information		LSASS Memory17
System Information Discovery		Remote Desktop Protocol11
Input Capture		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Windows Service		1
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager11
Security Software Discovery		SMB/Windows Admin Shares1
Clipboard Data		1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Scheduled Task/Job		1
Windows Service		1
Software Packing		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd11
Registry Run Keys / Startup Folder		12
Process Injection		1
Timestomp		LSA Secrets31
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Scheduled Task/Job		1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
Registry Run Keys / Startup Folder		1
DLL Search Order Hijacking		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt23
Masquerading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590179 Sample: Collaboration-x64.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 57 103 chrome.cloudflare-dns.com 2->103 105 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->105 107 Sigma detected: Suspicious Schtasks Execution AppData Folder 2->107 109 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->109 111 Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges 2->111 10 Collaboration-x64.exe 13 227 2->10         started        14 SetupWIService.exe 3 39 2->14         started        16 SetupWIService.exe 2->16         started        18 spoolsv.exe 2->18         started        signatures3 process4 file5 85 C:\Program Files\...\Wildix Collaboration.exe, PE32+ 10->85 dropped 87 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->87 dropped 89 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 10->89 dropped 101 17 other files (none is malicious) 10->101 dropped 119 Uses netsh to modify the Windows network and firewall settings 10->119 121 Drops large PE files 10->121 123 Modifies the windows firewall 10->123 20 SetupWIService.exe 11 77 10->20         started        23 netsh.exe 2 10->23         started        91 C:\Windows\Temp\nsh1036.tmp\nsExec.dll, PE32 14->91 dropped 93 C:\Windows\Temp\nsh1036.tmp\System.dll, PE32 14->93 dropped 95 C:\Program Files\...\UninstallWIService.exe, PE32 14->95 dropped 125 Excessive usage of taskkill to terminate processes 14->125 25 cmd.exe 14->25         started        28 cmd.exe 14->28         started        30 cmd.exe 14->30         started        36 10 other processes 14->36 97 C:\Windows\Temp\nsf193E.tmp\nsExec.dll, PE32 16->97 dropped 99 C:\Windows\Temp\nsf193E.tmp\System.dll, PE32 16->99 dropped 32 cmd.exe 16->32         started        34 cmd.exe 16->34         started        38 10 other processes 16->38 signatures6 process7 file8 77 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 20->77 dropped 79 C:\Users\user\AppData\Local\...\System.dll, PE32 20->79 dropped 81 C:\Program Files\Wildix\...\wiservice.exe, PE32+ 20->81 dropped 83 29 other files (none is malicious) 20->83 dropped 42 12 other processes 20->42 40 conhost.exe 23->40         started        45 2 other processes 25->45 47 2 other processes 28->47 49 2 other processes 30->49 113 Excessive usage of taskkill to terminate processes 32->113 51 2 other processes 32->51 53 2 other processes 34->53 55 14 other processes 36->55 57 17 other processes 38->57 signatures9 process10 signatures11 115 Uses schtasks.exe or at.exe to add and modify task schedules 42->115 117 Excessive usage of taskkill to terminate processes 42->117 59 conhost.exe 42->59         started        61 conhost.exe 42->61         started        63 schtasks.exe 1 42->63         started        73 16 other processes 42->73 65 Conhost.exe 51->65         started        67 Conhost.exe 53->67         started        69 conhost.exe 55->69         started        71 taskkill.exe 55->71         started        process12 process13 75 Conhost.exe 69->75         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Collaboration-x64.exe0%VirustotalBrowse
Collaboration-x64.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe0%ReversingLabs
C:\Program Files\Wildix Collaboration\d3dcompiler_47.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\ffmpeg.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\libEGL.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\libGLESv2.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\vk_swiftshader.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\vulkan-1.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\DseaCallControlSdk.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Newtonsoft.Json.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Office.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\UC.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\UninstallWIService.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookCommon.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookSync32.exe3%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookSync64.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\dotnet-dump.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIDRV.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIRES.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\wfaxport.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\websocket-sharp.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\wiservice.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\Wildix Collaboration.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\ffmpeg.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.chromestatus.com/feature/5093566007214080ErrorEventInitG0%Avira URL Cloudsafe
https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.0%Avira URL Cloudsafe
https://w3c.github.io/manifest/#installability-signals0%Avira URL Cloudsafe
https://www.bluetooth.com/specifications/gatt/services0%Avira URL Cloudsafe
https://www.chromestatus.com/feature/50935660072140800%Avira URL Cloudsafe
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html0%Avira URL Cloudsafe
https://wicg.github.io/entries-api/#dom-htmlinputelement-webkitdirectory).0%Avira URL Cloudsafe
https://webidl.spec.whatwg.org/#abstract-opdef-converttoint0%Avira URL Cloudsafe
http://www.portaudio.com0%Avira URL Cloudsafe
https://passwords.google.comCompte0%Avira URL Cloudsafe
https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk0%Avira URL Cloudsafe
https://streams.spec.whatwg.org/#example-manual-write-with-backpressure0%Avira URL Cloudsafe
https://www.chromestatus.com/feature/66626470931333120%Avira URL Cloudsafe
https://www.khronos.org/registry/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
172.64.41.3
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
      		high
      https://github.com/simplejson/simplejsonCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        https://tools.ietf.org/html/rfc6455#section-1.3Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          https://www.chromestatus.com/feature/5093566007214080ErrorEventInitGCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://support.google.com/chrome/answer/6098869Collaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2097865932.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098690448.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099003713.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099989651.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2115138291.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2098274265.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2114788244.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drfalse
            		high
            https://www.bluetooth.com/specifications/gatt/servicesCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/mathiasbynens/emoji-regex.gitCollaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.mdCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://github.com/nodejs/node/pull/35941Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://www.chromestatus.com/feature/5093566007214080Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://console.spec.whatwg.org/#tableCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://goo.gl/7K7WLuTheCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://docs.google.com/Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://encoding.spec.whatwg.org/#textencoderCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://goo.gl/7K7WLuCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/mikeal/forever-agentCollaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTDCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.htmlCollaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/tc39/proposal-weakrefsCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://goo.gl/t5IS6M).Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://tukaani.org/xz/&gt;.Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.jsCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://wicg.github.io/entries-api/#dom-htmlinputelement-webkitdirectory).Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://url.spec.whatwg.org/#concept-urlencoded-serializerCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparamsCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/google/pprof/tree/master/protoCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/jrmuizel/qcms/tree/v4Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://nodejs.org/api/fs.htmlCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chromium.googlesource.com/chromium/src/Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nodejs.org/images/logo.pngCollaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://bit.ly/3rpDuEX.Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://w3c.github.io/manifest/#installability-signalsCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.midnight-commander.org/browser/lib/tty/key.cCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nodejs.org/Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://tools.ietf.org/html/rfc7540#section-8.1.2.5Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://exslt.org/commonCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/tensorflow/modelsCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://c.docs.google.com/Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/KhronosGroup/SPIRV-Headers.gitCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://tc39.es/ecma262/#sec-timeclipCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wCollaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drfalse
                                                                          		high
                                                                          https://github.com/nodejs/node/pull/33661Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://narwhaljs.org)Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/tensorflow/tflite-supportCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.com/WICG/scheduling-apisCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/nodejs/node/pull/48477#issuecomment-1604586650Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://pypi.org/project/pyparsingCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://sqlite.org/Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://code.google.com/p/chromium/issues/detail?id=25916Collaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://webidl.spec.whatwg.org/#abstract-opdef-converttointCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://wiki.debian.org/XDGBaseDirectorySpecification#stateCollaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://fetch.spec.whatwg.org/#fetch-timing-infoCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://webassembly.github.io/spec/web-apiCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailedCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://coveralls.io/github/form-data/form-data?branch=master)Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://github.com/nodejs/node/pull/12607Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.ecma-international.org/ecma-262/#sec-line-terminatorsCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://developer.chrome.com/docs/extensions/mv3/service_workers/events/ScriptCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txtCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://sizzlejs.com/Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://gitter.im/form-data/form-data)Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://html4/loose.dtdCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.npmjs.com/package/form-data)Collaboration-x64.exe, 00000000.00000003.1888616018.0000000005760000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.portaudio.comCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://beacons.gcp.gvt2.com/domainreliability/uploadCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://github.com/google/shell-encryptionCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://heycam.github.io/webidl/#es-iterable-entriesCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/wasdk/wasmparserCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://heycam.github.io/webidl/#es-interfacesCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://passwords.google.comCompteCollaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, fr.pak.0.drfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://github.com/nodejs/node/issuesCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://github.com/denoland/deno/blob/main/LICENSE.md.Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://goo.gl/4NeimXOriginCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunkCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://subca.ocsp-certum.com05Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drfalse
                                                                                                                                      		high
                                                                                                                                      https://tc39.github.io/ecma262/#sec-object.prototype.tostringCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://url.spec.whatwg.org/#urlsearchparamsCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://github.com/dpranke/typ.gitCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://subca.ocsp-certum.com02Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drfalse
                                                                                                                                              		high
                                                                                                                                              https://infra.spec.whatwg.org/#ascii-whitespaceCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://subca.ocsp-certum.com01Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://chromeenterprise.google/policies/#BrowserSwitcherUrlListCollaboration-x64.exe, 00000000.00000003.2099304396.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2099671309.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2100386244.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, zh-CN.pak.0.dr, fr.pak.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://repository.certum.pl/ctnca2.cer09Collaboration-x64.exe, 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.2121855594.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984801226.0000000005320000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.2051680060.0000000005105000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1984421366.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000028.00000002.2979062910.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, Microsoft.Office.Uc.dll.7.dr, elevate.exe.0.dr, Serilog.Sinks.Console.dll.7.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://streams.spec.whatwg.org/#example-manual-write-with-backpressureCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://github.com/nodejs/node/pull/30380#issuecomment-552948364Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setintervalCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.khronos.org/registry/Collaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://heycam.github.io/webidl/#dfn-iterator-prototype-objectCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://.jpgCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005AE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://nodejs.org/download/release/v20.9.0/node-v20.9.0.tar.gzCollaboration-x64.exe, 00000000.00000003.1996145346.0000000007360000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://datatracker.ietf.org/doc/html/rfc7238Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://github.com/requests/toolbeltCollaboration-x64.exe, 00000000.00000003.2039486076.0000000005109000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1874733412.0000000005C60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://android.com/payCollaboration-x64.exe, 00000000.00000003.1993585054.0000000005B63000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://github.com/nodejs/node/pull/38614)Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://github.com/nodejs/node/issues/10673Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://github.com/nodejs/node/pull/32887Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.chromestatus.com/feature/6662647093133312Collaboration-x64.exe, 00000000.00000003.1993585054.0000000005B58000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-objectCollaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://github.com/nodejs/node/issues/19009Collaboration-x64.exe, 00000000.00000003.1995663772.0000000006F60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                No contacted IP infos

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                Analysis ID:1590179
                                                                                                                                                                                Start date and time:2025-01-13 17:35:04 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 13m 34s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                                                                Number of analysed new started processes analysed:128
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:Collaboration-x64.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal57.evad.winEXE@235/163@4/0
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 75%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                • Number of executed functions: 145
                                                                                                                                                                                • Number of non-executed functions: 76
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45, 52.109.89.18, 52.113.194.132
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, files.wildix.com, feedback.wildix.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, crt.usertrust.com, e16604.g.akamaiedge.net, crt.sectigo.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                                                                                                                • Execution Graph export aborted for target RegAsm.exe, PID 5444 because it is empty
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                16:36:46Task SchedulerRun new task: WIService failed update recovery path: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" s>/S /updateRecovery=true
                                                                                                                                                                                16:36:48Task SchedulerRun new task: WIService update recovery path: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" s>/S
                                                                                                                                                                                16:37:06Task SchedulerRun new task: WIService update checker path: C:\Program Files\Wildix\WIService\wiservice.exe s>--update
                                                                                                                                                                                16:37:06AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WIService C:\Program Files\Wildix\WIService\WIService.exe

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                No context

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                chrome.cloudflare-dns.comJUbmpeT.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                3bSDIpSIdF.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                3bSDIpSIdF.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                mNPTwHOuvT.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                1507513743282749438.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                44742054371077666.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                https://www.axis.com/ftp/pub_soft/cam_srv/IPUtility/latest/AxisIPUtilitySetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                https://sanctionssearch.ofac.treas.govGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 162.159.61.3
                                                                                                                                                                                https://downloads.jam-software.de/ultrasearch/UltraSearch-Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 162.159.61.3

                                                                                                                                                                                ASNs

                                                                                                                                                                                No context

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                No context

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllYoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        NativeApp_G5L1NHZZ.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                          CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                              AyqwnIUrcz.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                nanophanotool.exeGet hashmaliciousLummaC StealerBrowse

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\LICENSE.electron.txt

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1096
                                                                                                                                                                                                  Entropy (8bit):5.13006727705212
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                                  MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                                  SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                                  SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                                  SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\LICENSES.chromium.html

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):9174266
                                                                                                                                                                                                  Entropy (8bit):4.780443521000387
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k
                                                                                                                                                                                                  MD5:BD0CED1BC275F592B03BAFAC4B301A93
                                                                                                                                                                                                  SHA1:68776B7D9139588C71FBC51FE15243C9835ACB67
                                                                                                                                                                                                  SHA-256:AD35E72893910D6F6ED20F4916457417AF05B94AB5204C435C35F66A058D156B
                                                                                                                                                                                                  SHA-512:5052AE32DAE0705CC29EA170BCC5210B48E4AF91D4ECEC380CB4A57CE1C56BC1D834FC2D96E2A0F5F640FCAC8CAFE4A4FDD0542F26CA430D76AA8B9212BA77AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):176619800
                                                                                                                                                                                                  Entropy (8bit):6.749624619122867
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1572864:SgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2H1:Gg/geeFXzGa9FzV
                                                                                                                                                                                                  MD5:5DAD490CE110FCDF62D3F38296A3FC44
                                                                                                                                                                                                  SHA1:D6ACC8D53CED56D53FE3EFAAF1E35D508D00AD56
                                                                                                                                                                                                  SHA-256:E1AD240972ABB42861807E99AB09DB018367EA04462D201D48D55E5E353FB6B9
                                                                                                                                                                                                  SHA-512:A3F81654B654006588BDB41664F5440B4FE97BE8DE01E4FF64D7DD4716531C411A477085C43D0BB5F38BD7CDEAB43C2865F345F53172CE781A085F066A165E4C
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4...N.................@.....................................M....`.........................................G....j..4...T....0..p....pe...F......S.....................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...p....0.......Rq.............@..@.reloc...............w.............@..B........................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\chrome_100_percent.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):154426
                                                                                                                                                                                                  Entropy (8bit):7.915623092881329
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:AzwJCGIekwENgMBsFAXg6VKdL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:Azw1IekmMBdQXK18Gb0OV8ld0GecQ3Ey
                                                                                                                                                                                                  MD5:B1BCCF31FA5710207026D373EDD96161
                                                                                                                                                                                                  SHA1:AE7BB0C083AEA838DF1D78D61B54FB76C9A1182E
                                                                                                                                                                                                  SHA-256:49AFF5690CB9B0F54F831351AA0F64416BA180A0C4891A859FA7294E81E9C8E3
                                                                                                                                                                                                  SHA-512:134A13AD86F8BD20A1D2350236269FD39C306389A600556A82025D5E0D5ADAAB0709D59E9B7EE96E8E2D25B6DF49FEFEA27CDCCEFE5FBA9687ABF92A9A941D91
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..........?.........C.......................m.......................^.....X.................q".....$....1/.....9.....<.....A....^D.....F.....H....FK....6M....fO.....S.....V..(..Z..)..[..+..\..-..^....._..5.k`..6..f..8..l..9..n..:..q..;..u..<..x..=..{..>.A...?.....@.h...A.....B.....C.....D.....F....e.....j.[...k.Y...l.....m.....n.....o....p.&...q.U...r....................................................R.........B........................@....."....,.../...1....:....<....@...>E...NP....Q...3Z....a....mf.....k.....r....it.....x.....|....a......................]................c.................................................................^...........b...........t...........=.....k... .....".^...#.....(.^...*.3...+.....,.....D.....E.....F.~...G.....H.....I.Y...J.-...K.....L.....M.....N.1...O.....P.....Q.....R.....S.....T..!..U..'..W.\-..X.8...Y.....Z../..[..0..\.J1..]..1..^.53.._.+4..`. 5..c..9..D..=..E.>>..F..>..G..>..H..?..I..@..J..A..K..A..L..B..M.qB..N..B

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\chrome_200_percent.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):235060
                                                                                                                                                                                                  Entropy (8bit):7.947114238566176
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:gDQYaSN6svydrI8jDQUgx5GMRejnbdZnVE6YoppO4:NfSN6svydZ6edhVELoXO4
                                                                                                                                                                                                  MD5:E02160C24B8077B36FF06DC05A9DF057
                                                                                                                                                                                                  SHA1:FC722E071CE9CAF52AD9A463C90FC2319AA6C790
                                                                                                                                                                                                  SHA-256:4D5B51F720F7D3146E131C54A6F75E4E826C61B2FF15C8955F6D6DD15BEDF106
                                                                                                                                                                                                  SHA-512:1BF873B89B571974537B685CDB739F8ED148F710F6F24F0F362F8B6BB605996FCFEC1501411F2CB2DF374D5FDAF6E2DAAADA8CEA68051E3C10A67030EA25929E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..........?.........J..........................................%.....*.....-....\5.....9.....A.....E....IZ.....o....(t.....~.........s...........e...........L.....p.....y...(.3...).....+.....-..........5.....6.1...8.....9.=...:.....;.....<.t...=.$...>.....?.....@.....A.....B.....C.(...D..%..F..)..e.?1..j..6..k./9..l..<..m..J..n.WN..o.|Z..p..f..q..k..r..l.....m.....q.....t.....w.....z....'~....D........................J..............#.............a....&...................V............c........".....'....n-....P4.....6.....:.....>....6H....bK.....S.....W....ba.....k.....o.....q....cz......................................5...........p.....G..................................%....."... .@...".Y...#.....(.K...*.|...+.r...,.R...D.5...E.c...F.}...G.....H.\...I.....J.b...K.....L.f...M.....N.w...O.9 ..P.'%..Q..-..R..4..S..;..T..A..U..F..W..L..X..M..Y..N..Z..P..[.)Q..\.JR..].>S..^..U.._..V..`.pX..c.4e..D..u..E..u..F..u..G.Kv..H..v..I.,x..J..y..K.[y..L..y..M..z..N.mz

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\d3dcompiler_47.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4916712
                                                                                                                                                                                                  Entropy (8bit):6.398049523846958
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                                                                                                                                  MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                                                                                                                                  SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                                                                                                                                  SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                                                                                                                                  SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                  • Filename: Yoranis Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Yoranis Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: SalmonSamurai.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: SalmonSamurai.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: NativeApp_G5L1NHZZ.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: AyqwnIUrcz.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: nanophanotool.exe, Detection: malicious, Browse
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\ffmpeg.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2866176
                                                                                                                                                                                                  Entropy (8bit):6.71639664914218
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:G9T1onpO0KVy2xq6To8i4BZy7+niuoen6yfzv9x0WFJDI:upKNMo8rBYinp/FFJM
                                                                                                                                                                                                  MD5:8F3D89744AE11B0925FAF4B64890D0D7
                                                                                                                                                                                                  SHA1:6A8F744BE1F76E9AD28287D969D8D24F5F1E7623
                                                                                                                                                                                                  SHA-256:11DAF2BF89A3AC660533B3E487E0624668B35F45D2BD94E9B0324BCE8758DE60
                                                                                                                                                                                                  SHA-512:250C06E70276C08D3D8A63744AF6C570B6288E1D8FED8DEED915C79BF0A80C3CD0A7E64C55A16FCBC50CCBCBC9910B26F87983CEEEA8ED28A75C1B8EC22DB53F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......".........0.........................................u...........`A..........................................).......).(.............t.4.............u.,4..<.)..................... .).(...P.".@...........(.).P............................text...U."......."................. ..`.rdata.......".......".............@..@.data.....I...*.."...~*.............@....pdata..4.....t.......*.............@..@.gxfg....,...@u......R+.............@..@.retplne.....pu.......+..................tls..........u.......+.............@..._RDATA..\.....u.......+.............@..@.reloc..,4....u..6....+.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\icudtl.dat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10717680
                                                                                                                                                                                                  Entropy (8bit):6.282426578921538
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                                                                                                                                  MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                                                                                                                                  SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                                                                                                                                  SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                                                                                                                                  SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\libEGL.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):479232
                                                                                                                                                                                                  Entropy (8bit):6.363205504415342
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:0Jk+JyNnPUXhbZ/+a1KYsjNDsrJg3qkrzxwbP6wvEMrwrD7Qy/x6TYtaoB+YEB0+:qbTcZ6+lOP9rmD7QMYYtaFy951wj5ze
                                                                                                                                                                                                  MD5:F1FE23058E7EECE1DE389A0C882BC1AD
                                                                                                                                                                                                  SHA1:E83B15D2BBCB6FB2867651A2A9797ED3B6827947
                                                                                                                                                                                                  SHA-256:A4336A318E8D92A47843D5FE429DC6D1FF7271D8BAC189D719BC8074A128FD6E
                                                                                                                                                                                                  SHA-512:D7D51FCB05542FA81E871DD9F1DD960C363107D1C25311DCBF81E440D1275054C121A788DEF8DBAE47C129E95FD990042E2D39E6EF2BDFB253A114146EB33973
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ....."...(............................................................`A.........................................4..h....B..(.......x.... ..pA..............H...,,.......................+..(...@A..@............E...............................text.... .......".................. ..`.rdata..,....@.......&..............@..@.data....K....... ..................@....pdata..pA... ...B..................@..@.gxfg... &...p...(..................@..@.retplne.............6...................tls....!............8..............@..._RDATA..\............:..............@..@.rsrc...x............<..............@..@.reloc..H............B..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\libGLESv2.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7692800
                                                                                                                                                                                                  Entropy (8bit):6.501902638931627
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:9x8EI0RtffaYFH3lV5D3u31okx/6bXm3q:LhXfTFHmoKgCq
                                                                                                                                                                                                  MD5:76141455CD2705897D38E9785117E405
                                                                                                                                                                                                  SHA1:EE091646B6273BF006CFCD84FD54384B0A9D0E0F
                                                                                                                                                                                                  SHA-256:7B0BAA9E2E731716EFE3E0BEBF6A0BCD2D64F35D9F62B20D23ACB4E098C9BE36
                                                                                                                                                                                                  SHA-512:551B79AAFFDC469448477AA72554458235F118559EECC567C232599A4193B2639C14EAFACAD533485089AF58701AEABEE690B43F36E41342F928D4973EFC02E1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......Y..t........J......................................`v...........`A........................................}.l.......m.d....pu.......r..U............u.,....al.....................p`l.(.....Z.@.............m.......l.@....................text.....Y.......Y................. ..`.rdata..|.....Z.......Y.............@..@.data...\.....n......nn.............@....pdata...U....r..V....q.............@..@.gxfg....,....u......Tt.............@..@.retplne.....@u.......t..................tls....B....Pu.......t.............@..._RDATA..\....`u.......t.............@..@.rsrc........pu.......t.............@..@.reloc..,.....u.......t.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\resources.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5281234
                                                                                                                                                                                                  Entropy (8bit):7.996903093990653
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:98304:UCNks/PeeUfLi93zJ/HbKKSoDr+cgSrwrNl8dtSip6QaVaK2nwuoM10mpmjy+0V4:UAk03dB7KRcRkrNi/SQaVN2wuJ10Le+1
                                                                                                                                                                                                  MD5:54790975C932460FFA375CD0F0F8FFF0
                                                                                                                                                                                                  SHA1:05B72FF82ABB8DDAC1A92471F765B87B7FF1E9FD
                                                                                                                                                                                                  SHA-256:1EFDD507BB6F4FB07329EC7EC29EE00C952D6390BD5CFE3B41FB307C5CAEAB6C
                                                                                                                                                                                                  SHA-512:D74627207CAA35602E68AD6C08A0EBF55FE062E191A1885EB38226755D382DD3407DEA883E4337C5CFF23C1F724D64E5598EDF7A5CE93D4CC1EA6EA10C41AA0E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........5...f.\...{..)..|..,..~.F0.....B.....D.....P....H................V...........B.....k.....M.....c...........F.....$.........t@....u@;...v@....w@....x@c...y@l...~@.&...@.,...@.1...@.1...A.1...A.5...A_7...A.<...A.E...AsT...A/u...Avv...A.w...A.w...A.|..<AL...=AR...>A....?A....@A....AA....BA....CA....DA\....A.....A.....A....RIb...wI....xI....yI....zI....{I.....No)...N.6...N.>...N!B...N.E...N.O...N.P...N.R...NOS...N.....Nn....O.{...O\~..T`....U`....V`....W`x...X`....Y`....Z`v...[`.....`.....`.....`.....`m)...`d,...`.1...`.2...`@4...`.5...`.8...`.=...`.G..0aUO..1a.X..2a.]..3a>d..4a3o..5a~|..6a....7a....8ao...9a....:a....;aV...<a....=a....pb....qb&...rb......V.............................j............................w..................................................9...._........................+$...`'............b........x............................@....7.....>..x..D..y..D..z.YE..{.gF....kH.....I..../....B...@F....G...{H....I....K...2N...<Q....R

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\snapshot_blob.bin

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):306214
                                                                                                                                                                                                  Entropy (8bit):4.392850925698206
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:ogusbBDoCIdRSt25iD1Z3yAcCLi9wfuwWMvDdkbMzaQ:ogus9oCM9OUYffnWYWbIF
                                                                                                                                                                                                  MD5:AEDD1B80A8140B94C00DB3C0B9485772
                                                                                                                                                                                                  SHA1:2DC8444E599438ED37A31EBFE7F8859AF7FAC631
                                                                                                                                                                                                  SHA-256:C1DA41052ABE31791AE90A9DBE54442A641E1ECBB018EF35C44E7AED05B8F72E
                                                                                                                                                                                                  SHA-512:3E06CB550F46285D8DC81D1F082732C07E9C9D81ABE931E859262C7BA699D4EB9737581F5A5C5174E09BB0FC0561A9DE46298714CED38F453F922F9536C67D0C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...............12.2.281.27-electron.0..........................................8L..N...........$....K..a........a........a2.......ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\uninstallerIcon.ico

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):370070
                                                                                                                                                                                                  Entropy (8bit):2.6581238785102768
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:gie1tRXMK6JS1ZMciuawKELOW2YP6GRQj8zigQHP24ETHybd29l9qPk6a3aW2r8G:QCqyW2YKuPa8TVOwzFdc
                                                                                                                                                                                                  MD5:2732C2EFCD1469E4884ACB001A3313DC
                                                                                                                                                                                                  SHA1:01179ED18A513AFC7D94D5843E2DAB37460605F5
                                                                                                                                                                                                  SHA-256:070398CF2F3D8A42C62B31B32402BB81ED3B6FF56A5DCCF75E3CB788496960CC
                                                                                                                                                                                                  SHA-512:44145D38E59D8070646293DC8A56E4906BB2B6E3A6D005FEE41F3808BEB0D64687583A941EEB29D3AC7A3C6C1DF3A5EAB04DBFD3EEEC0194D0D11F422997F698
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:............ .( ..f......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .h.......(............. .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................K%..K%..K%..K%..K%..K%..K%..K%..K%......................................................K%..K%..K%..K%..K%..K%..K%..K%..K%............................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\v8_context_snapshot.bin

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):679161
                                                                                                                                                                                                  Entropy (8bit):5.217457437935302
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:m/h8ML2Zu/Bg90Ws9oCM9Otxh6vtDINPbIgTtLAkW/cB2Z0JZkQXEzBO+lZ:myMSZu/Bg90BuCzIP/+2ZGZazJlZ
                                                                                                                                                                                                  MD5:0C259ECBB12E6F3F0E076E6200221489
                                                                                                                                                                                                  SHA1:3DE53DCAFDCE24C151DD1812769B46ACEA77C90C
                                                                                                                                                                                                  SHA-256:83A8345EA197020E07FE2CF53E74F31D0CC632CA1537F5C9C1DB2FB2665AB04F
                                                                                                                                                                                                  SHA-512:6EF39EE8B7D40C5E6C0E79F8C4E846D431A6A87711D025122E2E7F060C5754FFF917771D5EDE6ADEC3BE909FB5CE0E8EB1DF5E18142ECDB6339BDDE8CE2C8398
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........a. ..?h12.2.281.27-electron.0..................................................................$...x...a........a........a........ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vk_swiftshader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5312000
                                                                                                                                                                                                  Entropy (8bit):6.364537003040197
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:YL1wrvfRIQkXfBe1IlA8gE+LGHEYXb3GNfsUd9QjqZztkJCP1pSN6WxHEmp+DnnV:81w7weOqiFIYBgTE
                                                                                                                                                                                                  MD5:8FE00EBE76542263463877F27417EC61
                                                                                                                                                                                                  SHA1:763502E57A3C4FBE5FC25EE7E9C942D94505D244
                                                                                                                                                                                                  SHA-256:46AFB1ED7AB1B1A679E00784B2E78CC2358CEC615553699624FF77882F55787B
                                                                                                                                                                                                  SHA-512:62B375B40EEDF04D03D8465570634B56D529E9525BD6D81BE94B40C7DA21CCCAA808BE97649F9404DED9EDD5CE129F9FB1D462C6A1986A25FA8A228857CDA5A2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .....n@...........:.......................................R...........`A.........................................sL.......L.P.....Q......0P..^............R.t~...0L.....................x/L.(...@.@.@........... .L.P............................text....m@......n@................. ..`.rdata........@......r@.............@..@.data........pM......ZM.............@....pdata...^...0P..`....N.............@..@.gxfg....-....Q......TP.............@..@.retplne......Q.......P..................tls....Y.....Q.......P.............@..._RDATA..\.....Q.......P.............@..@.rsrc.........Q.......P.............@..@.reloc..t~....R.......P.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.json

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):106
                                                                                                                                                                                                  Entropy (8bit):4.724752649036734
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                                  MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                  SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                  SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                  SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vulkan-1.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):954368
                                                                                                                                                                                                  Entropy (8bit):6.588968362833733
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:CkMYSDIukxvnwhdzY96Z5WiDYsH56g3P0zAk7lE1:Cku0fwhC96Z5WiDYsH56g3P0zAk7l
                                                                                                                                                                                                  MD5:D8F31216785E204DA9BAD10E9F3734B7
                                                                                                                                                                                                  SHA1:BE7F53566DBAEC5DBE61AFC76BF7401CFC42EF08
                                                                                                                                                                                                  SHA-256:FA6B4E20EB448746E2EFF9A7FDE7A62585E371F3497A6A928EADE0A8CE8C1A9F
                                                                                                                                                                                                  SHA-512:D7EF5EF7ED9B5559E107369849ADCD18FB9C9C3A90033731A46C4B5D3BA431582936E54E5B5918CE19A667B3F1EB369A93BC3F9A03DF8E5397E5F80DC21A61A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......................................................... ............`A............................................<!...3..P............ ..Xq..............(...,...........................(...@...@............8...............................text...{........................... ..`.rdata..............................@..@.data...pL......."..................@....pdata..Xq... ...r..................@..@.gxfg...P).......*...N..............@..@.retplne.............x...................tls.................z..............@..._RDATA..\............|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\DseaCallControlSdk.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1691760
                                                                                                                                                                                                  Entropy (8bit):6.377248011693859
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:W0H28oc49lxvVtv4nZ70XYvHPhqkWHZC8l/Ia0dpZu4MRk:09wn10/k
                                                                                                                                                                                                  MD5:AC174E068FA99EA6B346353BA69757CE
                                                                                                                                                                                                  SHA1:CD1A42D84C18E8473FBEC6A6A3AC731DBB1FCC9B
                                                                                                                                                                                                  SHA-256:19C680C1691BA446F2751B79355F2EF7206BBDA3684B058370F26FD2A82F5D6B
                                                                                                                                                                                                  SHA-512:E9B0249979ABE566651CDC14F3C18A93B5B8C5C4C45E97FDB7A39D828A7FE930FEE8F1EE7B0A50A5213B4C2B0727E7C07FA5EF591FA80F555D6654CADD5B9BBD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........xj..xj..xj......xj...n..xj...i..xj...o..xj...k..xj...m..xj...n..xj...k..xj..xk..yj...o..xj...j..xj......xj..x...xj...h..xj.Rich.xj.........................PE..d...2..c.........." .....V..........d-.......................................@......~.....`.........................................P...........|....... ....0..t.......p*... ..........T.......................(...`...8............p...............................text....U.......V.................. ..`.rdata.......p.......Z..............@..@.data........ ......................@....pdata..t....0......................@..@.rsrc... ...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):985712
                                                                                                                                                                                                  Entropy (8bit):5.551919340566682
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:OmPj0ZKH4lODcxSgo5Gn8WuMRIn+N3gN+zs5KPIVmkXiGzcJy3gt2LER6GvK9Hw1:Omb0ZKH4lODcxSgo5Gn8WuMRIn+N3gNw
                                                                                                                                                                                                  MD5:390B04A388FFD833D4E93ED4153AE58D
                                                                                                                                                                                                  SHA1:1D21644C16772988DD817B40E3886585BBB2D4B2
                                                                                                                                                                                                  SHA-256:BB0E790F27DCBEC3B0DCB9F01F27A38C3D2D1F775538C6CFBF9883795F38EFF2
                                                                                                                                                                                                  SHA-512:2FD5E8435110FD10DA4B17496377D619C249A11CEFDF4B01796029BB4A24E6A13EAA133158D250C9CC3C7BC9DBECA42BCE09F5AB3523B415A54F9461F3E5BA2A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.V...........!......... ........... ........@.. ....................... .......h....@.....................................K.......................p*........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):37488
                                                                                                                                                                                                  Entropy (8bit):6.42379201827549
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:PwJTwYB4E5n/xe5arr82ADib6kysSoQuSW:YJYE55e5mr8tOb6k1L7SW
                                                                                                                                                                                                  MD5:D332E42FFA4175720FBC2AA4AC4C57E3
                                                                                                                                                                                                  SHA1:4148438DBD61126A5B223409E6FF49F8F838362C
                                                                                                                                                                                                  SHA-256:9B070077A44937BEF43C386D4A89051300BC4FAA50C115A1D10FDBB052B66CA8
                                                                                                                                                                                                  SHA-512:EB3C246EE059B94CE994B301486117AF1C06B7995FE107EC7F6A9CF0465A8BBFD45D46BCCF87623644BB9C4E345E141BC0F1BDA1FF8FC8D73CE255EEAC0FEA8D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..K...........!.....X..........nv... ........... ....................................@..................................v..O.......d............h..p*..........tu............................................... ............... ..H............text...tV... ...X.................. ..`.rsrc...d............Z..............@..@.reloc...............f..............@..B................Pv......H....... &..TO..................P .......................................2...B..5....vO{:R.G.._(P%+.....|cn.A..@.E.#.....w.....?o......."[......6...|..z...:,.L.......A..|.T^k.A....R-...N.......(/............o~...}......{....op...}....*..{....*v.{....ox.....o....u.........*2.{....ov...*2.{....ow...*2.{....ox...*6.{.....or...*6.{.....os...*6.{.....ot...*6.{.....ou...*2.{....on...*2.{....oe...*2.{....of...*2.{....oo...*2.{....ok...*2.{....oi...*2.{....oj...*2.{....om...

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):53872
                                                                                                                                                                                                  Entropy (8bit):6.209840303982636
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:N7vV5z3+6KTqUPtLnPDiQ0fWST41mocNAwkEGjhl2BOBaBnD/4xFsO282ADib6U2:xVs6c3d28tOb6UT1L7SF
                                                                                                                                                                                                  MD5:D454D5F84DD74C88DE630BA148470B43
                                                                                                                                                                                                  SHA1:C2CB551054DF4EEE747783450BD5A79E711774B1
                                                                                                                                                                                                  SHA-256:D4C2959CC59021EC109C0546AB6B44C9D62FE34F8648FA2E82693B6F6FDB9717
                                                                                                                                                                                                  SHA-512:D30B2E6B7A1908FE80D5B52CC349D0BC128DBD807413AF3303626DC9758C11A3FA58E99E3A368C284C7B9573C06A7DD6B1228C398B1E1D84C1AEAD545713FD08
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..K...........!................~.... ........... ....................................@.................................0...K.......@...............p*........................................................... ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B................`.......H........#......................P ......................................oM.?~!...g.h+...$.w....6]...3.U.9.8.!..d)r<....wV...OE!..NB...W.....k..,....h...@.......K.\6.<......6.<d.Y.A`.S..J.Q?..*..((.......oI...}......{....t....}....*..{....*N.{....o*.....(+...*..{....*2.{....oB...*6.{.....oC...*2.{....oD...*6.{.....oE...*2.{....oF...*2.{....oG...*6.{.....o>...*6.{.....o?...*6.{.....o@...*6.{.....oA...*2.{....o:...*2.{....o;...*:.(6.....}....*..{....*..{....*6.{.....o...

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):483440
                                                                                                                                                                                                  Entropy (8bit):5.88808533617672
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:Ma9ps9y+hl8hyfItfqNWtkT4yzIDUCEheLQta3spminCi5W3EKjWFY4A7+BkvCZ/:Ma9ps9y+hl8hyfItfqNWtkT4yzIDUCEf
                                                                                                                                                                                                  MD5:3A1269C0A167AC4D9A444A6123F62647
                                                                                                                                                                                                  SHA1:578575D8D7A073EF2AE8AF7DE65558ECC0FC0F99
                                                                                                                                                                                                  SHA-256:ABC3A0B4FE5DB6717ED3D1BED438BACF053000BCA6C75DD8BE0047D776CEBB20
                                                                                                                                                                                                  SHA-512:63DA1B64A5AFFF89A7031470EB3F08ABA8F4EE381025777EBBD5EA6404F68C92A998169C8B0B21DB3495CDF6A63AC836154C348DDD7D469EAACE293FD0A0482D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S...........!................~L... ...`....@.. ..............................s.....@.................................(L..S....`...............6..p*........................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B................`L......H........^..(....................].......................................0..&...........{....9........{............o....**...0..&...........{....9........{............o....**...0..&...........{....9........{............o....**...0..6...........(........ ....}.........}.........}.........}....*...0............ ....."..... .... ...... .... n..... .... ...... .... P..... .... ...... .... (..... .... ...... .... D..... .... ...... .... D..... .... i..... .... ...... .... ...... .

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Newtonsoft.Json.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):703088
                                                                                                                                                                                                  Entropy (8bit):5.944616866544071
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:Rf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cHQYa:ZXNL2PVh6B+BzjmcwYa
                                                                                                                                                                                                  MD5:D3E0B67E13A5705481C6CA3C7193E7CF
                                                                                                                                                                                                  SHA1:41EE7FAA47F8FBBC025170B5D137E11F4475922E
                                                                                                                                                                                                  SHA-256:F0A7EAAABC1D4D46F45646C9676136377DD72FEFE0365DE51CC7A0CD048AA8C0
                                                                                                                                                                                                  SHA-512:6087C957A49F5472F3D77D4F3B4114C536A5777C03AE33223835698AD3C2865CE3BB2F8FF8DB1CD0DF49FB7CF73FA61B4DFA849430295E82B3D82601E1B66E95
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................p*..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Office.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):420464
                                                                                                                                                                                                  Entropy (8bit):5.859763778856411
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:no4vyP2a+zKZsxgkE0PTpFh/2f7rvmcyjlSjnqgy:no4vyP2a+zKZsDr52f7rvty
                                                                                                                                                                                                  MD5:5759B4F594B5D6B05CDF7D3818A41CF8
                                                                                                                                                                                                  SHA1:63F4C42A3E3279F918991886DF6C53A5121C6D9B
                                                                                                                                                                                                  SHA-256:E31181E899F6A109B782D20D6A77392D3F8A4C945D818861D9DC0ACB3B67D477
                                                                                                                                                                                                  SHA-512:D53609028B3495DAA23C370ECD65500CB7F636A9950E7C54970CBA79A0C38DC6C81CBCC44C97392EA5B33F581C243D2C0A268E08ADFAF1D1EFA2746FC120089C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....oAE...........!......... ......."... ...@....@.. ..............................s........................................!..W....@..L............@..p*...`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...L....@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):43120
                                                                                                                                                                                                  Entropy (8bit):6.314942767785965
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:Dx+pe4L10ajxHJl7u4WHjWZ82ADib6IysSoQuSKhE:1K0ajRu4WKZ8tOb6I1L7SKhE
                                                                                                                                                                                                  MD5:2BFDFE0FB1AA5E9B398C49BB006B92A9
                                                                                                                                                                                                  SHA1:5AABCCBC39F240DEEB048FCB4A7D636D787E4E34
                                                                                                                                                                                                  SHA-256:BF0DC8C853201F9AC9E8B5A9696C24C46DCD9B8AE20CA5744B5B11574E175156
                                                                                                                                                                                                  SHA-512:71E937DDDCF890661819A80679B62CC16912A713EE13F26DD9AB0E05438A680E4925AFBFDEEDC3409F908512F6AF34DC33C552A50A90C6C9321D285A851C6244
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.P..........." ..0..t..........z.... ........... ...............................[....`.................................(...O.......L............~..p*..........p...8............................................ ............... ..H............text....s... ...t.................. ..`.rsrc...L............v..............@..@.reloc...............|..............@..B................\.......H.......|R..t?..........................................................0..Y........-.r...ps....z.-.r%..ps....z(....-.(....-...%-.&(-...+.(........sN.........s.......o....*..-.r...ps....z.-.rC..ps....z.(.......s......o....*.(<...*..s....}.....(......}......%-.&rW..ps....z}......}....*...0............o....(......{....o....,L ....s....s......{......o.....{..........(......o....o.....o.....:.,..(......{..........(.....{......o.....o.......,..(.....*.......@..\........o.........

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17520
                                                                                                                                                                                                  Entropy (8bit):6.83969555329617
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:XrDJKl99Xk8jr8VSurQ2ADir/6rDzhW5w56SofousWu4qi7:Xr20L82ADib6dWysSoQuS2
                                                                                                                                                                                                  MD5:9F018137CCC7684C1922C8D8FA7BA364
                                                                                                                                                                                                  SHA1:E2C26A5BE58B2511043F918939B40134428A4E7A
                                                                                                                                                                                                  SHA-256:7F1D68C22394D54159E918B089CF721DC0F5EF5BD2E9699ED135945ED20E020F
                                                                                                                                                                                                  SHA-512:713C6D48BB186326492FF1466810FF7E270719F5A9A755C4BF84BC66679587223EA9973842EB3D719E2A5B564F488CDE34E39BB5286DBAD428E26E8EA7ED800C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............^/... ...@....... ...............................0....`................................../..O....@..@...............p*...`......X...8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................>/......H....... !.......................-.......................................0../........-.r...ps....z.-.r%..ps....z..s..........(....*..-.r...ps....z.-.rC..ps....z..s......o....*v.(......%-.&rC..ps....z}....*....0..+.......s......{......o.....o....(.......,..o.....*.......... ......BSJB............v4.0.30319......l...0...#~......\...#Strings........X...#US.P.......#GUID...`...X...#Blob...........W..........3........................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):36976
                                                                                                                                                                                                  Entropy (8bit):6.423492405586302
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:F2IVwX/kpnTXMcTWpHdD2JRrcfwcyT82ADib6jysSoQuSt:/wXcpnTXMwWmJRXVT8tOb6j1L7St
                                                                                                                                                                                                  MD5:F632DC6A8B6A9D34F1A24B39475965E2
                                                                                                                                                                                                  SHA1:44F478B7B76F9B23E5E78D25157BF58FE675A223
                                                                                                                                                                                                  SHA-256:7B10A8C77CE1BA7B68ED742590031BACEC6EEA9641AB0AD2F0DDA40BF7D05C61
                                                                                                                                                                                                  SHA-512:6B54ACBD0C5510EABCABE475011E14DA71C096A2F4E4235C605283D9E87903F202C94D3F24006DBC67C143064212CF80D545362C73B7E903AF607A9207666DBC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%>^..........." ..0..\...........{... ........... ..............................>.....`.................................O{..O.......4............f..p*...........z..8............................................ ............... ..H............text....[... ...\.................. ..`.rsrc...4............^..............@..@.reloc...............d..............@..B.................{......H........8..XA.................. z.......................................0.."...................................(....*...0.. .................................(....*.0..O........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s...........................(....*..0..(..............s..........................(....*.0..?........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s...........(....*..0..8.......... ...s..........................................(....*.0..9........-.rM..ps....z.-

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):130672
                                                                                                                                                                                                  Entropy (8bit):6.183884930918232
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:Gy8BcjSMkNtSR4rkA4Nqnv/BZ8OQNZMpWovqnSOD1fSr:jPSMkNtS6rzH7H+y2e
                                                                                                                                                                                                  MD5:381D1F6EAC3487FB809F4A67B20BBFC0
                                                                                                                                                                                                  SHA1:7AE67391144F1C3BDDB739F89499E4DFC2E01561
                                                                                                                                                                                                  SHA-256:CEA976F7B2AD44B80CAABCD2E2E443D4A58BB31839C6E12F68E49234FDCFD121
                                                                                                                                                                                                  SHA-512:A702FC408F953B96E5BFFAAB5953E08FF7F4215A6A87BA94E283EEB6D1E87BD79D34D8421ECD98180844BB037553F958D4E9B71900A085C3B62757BD848CDD74
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T<..........." ..0.............:.... ........... .......................@............`.....................................O.......................p*... ......X...8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......x...`A............................................................{(...*..{)...*V.(*.....}(.....})...*...0..;........u......,/(+....{(....{(...o,...,.(-....{)....{)...o....*.*. .... )UU.Z(+....{(...o/...X )UU.Z(-....{)...o0...X*.0...........r...p......%..{(....................-.q.............-.&.+.......o1....%..{)....................-.q.............-.&.+.......o1....(2...*..{3...*..{4...*V.(*.....}3.....}4...*...0..;........u......,/(+....{3....{3...o,...,.(-....{4..

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\UC.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):461424
                                                                                                                                                                                                  Entropy (8bit):5.25726869136666
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:mw/0k3XAYWQuyOGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplhxy6woW0nFTF9YvORIg:L8KXAy7qy6EOdgQ
                                                                                                                                                                                                  MD5:6CD6DE9E328D4FDDBD0E3D5673369C3B
                                                                                                                                                                                                  SHA1:0A0915D6B89CAEF5A9D8D170089ABEBEAF6A183C
                                                                                                                                                                                                  SHA-256:5282E7BD01BD8C7A29E418E9F9EA7559A1A6E9F4CA3311399DC957296CEF5FF4
                                                                                                                                                                                                  SHA-512:53B1D121698D22A821093F88A5D1270A8243D7CDC836AF338045562363C0C2AFA222D925B6FFD89C238B0775A6F946F539431FC46E9964CE2D382BE9434D2752
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aF..%'..%'..%'...[~.$'..%'..$'...[..$'..Rich%'..........PE..L.....tg...........!..."..................................................................@.......................................... ..................p*..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......tg........j.................tg..........................tg........l.................tg............................................RSDS.BO..$.M..+.V.C{....C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\oi_release\UC.pdb.......................GCTL....p....rdata..p........rdata$voltmd............rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02........................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\UninstallWIService.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):162168
                                                                                                                                                                                                  Entropy (8bit):7.073455164608616
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:ZbG7N2kDTHUpoub7G1GFkTvQnKKjRCCDgqqAuKF5s34FEbfPzSzz1fSJ:ZbE/HUzi1GF9n6fqjup34GbfWdM
                                                                                                                                                                                                  MD5:4D27F2943AD5052773E7741645B23DD6
                                                                                                                                                                                                  SHA1:61B2A58C06C45A5682A24C32E4317EE07C685CFC
                                                                                                                                                                                                  SHA-256:802AEB611760C67B68BE019480F65F8EA7BAC6CC30BC89D840DF895A7C3DA55F
                                                                                                                                                                                                  SHA-512:85C5CA1FAF19A1168932C1C7259314A276ACBDDBD6F60BF5B9A89DEFE8440FDDB21E9EC9C04C1EC1F03FF3951162B20059C8A7218D72933872824A2367641B6E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................p...............O..p*...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):397424
                                                                                                                                                                                                  Entropy (8bit):5.896845001178328
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:rNQ4YiZ6kjpxx981KKjQ9w53HW1fnAgCGCbmScQ:JrZ6kNxx9PKdU9AYAT
                                                                                                                                                                                                  MD5:1A03B412419726F712C0C944D9223EBE
                                                                                                                                                                                                  SHA1:D996B0D84B4FD60A0C88375D20E8FAD796D30946
                                                                                                                                                                                                  SHA-256:232B5CE24F0E7EE6341A59E7BA939B63F6C5918AD847B453234029146C3F60A0
                                                                                                                                                                                                  SHA-512:705D5C732F913C8C2E392592C91128F6FE5706ACF1FDF933042A2C4D40AAC90D3DF0478E9ECE9885E718E3FF5C81E7CB76974070148B4E8D9729F52057C8CF6A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.tg.........." ..0.................. ........... .......................@............`.....................................O.......@...............p*... ......P................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc....... ......................@..B........................H.......@...H=...............*...........................................0...........(......({...}....( ...o!...o"...o#.........%....o$....(%.....s&...}.....{....r...p(...+((...o)....{.......{....(|...o*....{.... .....{....(|...o+....{.... .....{....(|...o,....{.....".{....(|...o-....{.....o...."...A.s/...o0....s&...}.....{....r7..p.........(1...o)....{.....2.{....(|...o*....{.... .....{....(|...o+....{.... .....{....(|...o,....{.......{....(|...o-....{.....o...."..PA.s/...o0

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifest

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (3755)
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19152
                                                                                                                                                                                                  Entropy (8bit):5.393272662156399
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:2yw5tUebz1qEr5M5Q92rbYQujYSQxrjfTr+RLX8uy3i/yI72yWU8zS1Ap5kxP0Ko:tw5tUebz1qEr5M5Q92fYQKYSQxrrWtMn
                                                                                                                                                                                                  MD5:B079016897676DE86F27C99F428B8808
                                                                                                                                                                                                  SHA1:4A75733DF4F6D833898599100AD6ECA2CDD8AE17
                                                                                                                                                                                                  SHA-256:9ACDD49BF2F04E1E6400905BA43D617A67C1260E8B97B93DB322234767FFC35A
                                                                                                                                                                                                  SHA-512:4CD033711E425FA9ED5AA8C8F8DCB575C865735B3B2B3FE6DF04AA22B84A5C7F249245DFC3E5DBF6265229D71967C8C3F51F692AF30FBC1B83DDB7BB829830FC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <asmv1:assemblyIdentity name="WildixOutlookAddin.dll" version="1.0.0.0" publicKeyToken="ba03c384a1328835" language="neutral" processorArchitecture="msil" type="win32" />. <description xmlns="urn:schemas-microsoft-com:asm.v1">WildixOutlookAddin</description>. <application />. <entryPoint>. <co.v1:customHostSpecified />. </entryPoint>. <trustInfo>. <security>. <applicationRequestMinimum>. <PermissionSet Unrestricted="true" ID=

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.vsto

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (3784)
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5585
                                                                                                                                                                                                  Entropy (8bit):5.810263805047951
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:0WLwO9Zc9vHTPkucpkF8YmORsZalUEgdF8YxzFodo9bBDA:ffFkLPdEA
                                                                                                                                                                                                  MD5:DB9C70488F4DA3E672D17C6C7EEB5ED6
                                                                                                                                                                                                  SHA1:49BA2D0791E5B3523FB076792843A71D4000E15B
                                                                                                                                                                                                  SHA-256:5D457F66530E9A4553D428BD95ACFBFB578884561619F90BE19D171DD253DEFC
                                                                                                                                                                                                  SHA-512:B138ABA72CAF390AAB04DD77F1E660751534878F2E8278E1C92433AC305AC215C30E0FA60522658FCD63D18B821D0B869BB6B369FBF3D4FD3B4C65C09DCC093B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <assemblyIdentity name="WildixOutlookAddin.vsto" version="1.0.0.0" publicKeyToken="ba03c384a1328835" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />. <description asmv2:publisher="Amazon.com" asmv2:product="WildixOutlookAddin" xmlns="urn:schemas-microsoft-com:asm.v1" />. <deployment install="false" />. <compatibleFrameworks xmlns="urn:schemas-microsoft-com

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookCommon.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23664
                                                                                                                                                                                                  Entropy (8bit):6.560940967824352
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:NVVKiOteMGnUvLMktlhw75P72brQ2ADir/6raX5w56SofousWu4Kfyg:NVkiO4MzpJwZA82ADib64ysSoQuSH
                                                                                                                                                                                                  MD5:FAEA425A09F6DCC14F03D967946FC6E3
                                                                                                                                                                                                  SHA1:8569910F5F5B369CAD5FA232ED5EE8A3CC38564E
                                                                                                                                                                                                  SHA-256:17DD9AB9E3C5733DF4BE6D2B6F6961F053E1B22C1E44F6B611359412C1B0DB49
                                                                                                                                                                                                  SHA-512:6EF24695606B67E78A02A9C5911D2325A39FB5DDA230F5DA7858EE436A317C5779AD4C01285948EF5A09813E190A3B53AE952DFD52D9D7CD38FBFE832202E4A4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..*...........H... ...`....... ....................................`.................................XH..O....`...............2..p*...........G..8............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H.......x$..$#............................................................(....*..{....*"..}....*..(....*..(....*..(....*..{....*"..}....*..(....*..{....*"..}....*..(....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......(....*:.(......(....*~.(......o....(......o....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(......(......(.....r...p( ....s....(".....($.....

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):586864
                                                                                                                                                                                                  Entropy (8bit):5.063139636129146
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:SIjggFdum2P4yaUXShvjSRbu05zpERTuZKKjQ9w53HW1fV/vDKjQGZ5bHWhUkzGc:KguBQyaUkJdxKdUbKXwjzF
                                                                                                                                                                                                  MD5:0D4C25344365AF560C17E3EB7D649427
                                                                                                                                                                                                  SHA1:3D44C52059AD8ABEBAD9578179BA7E6DED2C55E7
                                                                                                                                                                                                  SHA-256:0672D29C4D7BBC087FE5ED4AAA8E2842E16D3947114DBB64EFA8613E106379F1
                                                                                                                                                                                                  SHA-512:AA91EC560C875914D1F085CF80EBED3A5B2668DFDA5DC3782861C13BAD598C82A0C4A919005053754BC44BE432627ECFE446DAE9D2DD4E00FD861F0333CA8D78
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.tg..............0..............+... ...@....@.. ....................... .......p....`..................................+..O....@..................p*..........t*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................+......H.......p....0..........T... +...........................................~....*..(....*..0..r.......~..........(&....o'....+5..((...o)...o*....~.....o+...-.r...p.(...+~.....o-.....(....-...........o/.....,..(0....*..........BY.........._g.......0..r.......~..........(&....o'....+5..((...o)...o*....~.....o+...-.r5..p.(...+~.....o-.....(....-...........o/.....,..(0....*..........BY.........._g.......0..;.......~..........(&...rm..p(1...~....~....o2...o3......,..(0....*.........

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.config

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):146
                                                                                                                                                                                                  Entropy (8bit):4.983767070197417
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:vFWWMNHUz/cIMOodBQV7VKXRAmIRMNHjFHr0lUfEyhTRLe86AEDDQIMOov:TMV0kInV7VQ7VJdfEyFRLehAqDQIm
                                                                                                                                                                                                  MD5:05BD64DBD44CF1C95236670D3842562F
                                                                                                                                                                                                  SHA1:824B16AD66771809D9BB32001875AA3C372C7C9C
                                                                                                                                                                                                  SHA-256:40859DA4B6DE7510504DD13877345D92B4DF66EA09C6C4F4E72C7AE3610974AA
                                                                                                                                                                                                  SHA-512:85FD03363DCDEF8B2A45C74605E0009249ADCA8BEABE06CBB90F6B1B00761C02B6BEB02B8BBD3DDC6965E98CEA820D5023705584D5B7DA5CD2FA3CB9AAF66E9D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<?xml version="1.0"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/></startup></configuration>..

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookSync32.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5364336
                                                                                                                                                                                                  Entropy (8bit):6.803295159333163
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:EBDD78pFjrWkS2vQHbajE/OvLenj9QG96rDcmdD:+DQnjrWkS24Hbajcfj9c4q
                                                                                                                                                                                                  MD5:206E87E60FE774EC5A94EB99B8B2B070
                                                                                                                                                                                                  SHA1:BD463F6584F263B85B656C58AFBB1D7AF14975DE
                                                                                                                                                                                                  SHA-256:EFFC0165FADBCDC21A9C3C000922CB98A293398486A24E50A70789F257CF9F20
                                                                                                                                                                                                  SHA-512:72E9FC83E77BD9E69AEC91CB836CACEC0C7A20B04A8EB02F7698DF16A3AC095BF972BCBE4F1AA85D17E00C6FA703D87763C328E7D1F717DF4B8F2C1BC21107C1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............{..{..{......{......]{....<.{......{......{.......{......{......{..{...z..{..{..L...(y..L...{..L...{..L.>.{..{V.{..L...{..Rich.{..........PE..L.....tg...............".,<.........X.6......@<...@..........................pR......R...@.................................L(J......0N...............Q.p*....O.T.....G.p.....................G.......G.@............@<..............................text....+<......,<................. ..`.rdata.......@<......0<.............@..@.data...T....PJ..N...2J.............@....rsrc........0N.......M.............@..@.reloc..T.....O.......O.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookSync64.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6427248
                                                                                                                                                                                                  Entropy (8bit):6.617744849493833
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:fd+J+bYZD4OdDcJW7+6vABZvzYMflMs0fRu:VsuM46cJWdvAvvPdd+u
                                                                                                                                                                                                  MD5:9EA16A6444682CE6BC5A12433EB47453
                                                                                                                                                                                                  SHA1:893F4F4E1498CB641B85368D7203B2BFE0A5B658
                                                                                                                                                                                                  SHA-256:1ACE7C7705205DD8B5933C0A76827177912AD3201F5448425B11BD897BB92CC2
                                                                                                                                                                                                  SHA-512:C4B0BADCA6B592D07D2DC883B2DB37EED1548A8F69117EE9CA6EB640419FABB12D62F5A59D752001F2090997F69FFE07D8651E0D57B9335CCB520D5C455FD56D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......a{..%..C%..C%..Cnb.B(..Cnb.B...CjfoC"..Cjf.B6..Cjf.B/..Cjf.BO..Cnb.B>..Cnb.B0..C%..CB..C%..C9..C.f.B...C.f.B...C.f.B2..C.fmC$..C%..C$..C.f.B$..CRich%..C........................PE..d...a.tg.........."....".ZF..8......P.@........@..............................b.....u0b...`...................................................Y.......`.......].l.....a.p*...@b.(....;S.p....................<S.(....:S.@............pF.`............................text...?XF......ZF................. ..`.rdata.......pF......^F.............@..@.data...\c...0Y.......Y.............@....pdata..l.....].......\.............@..@_RDATA..\.....`......._.............@..@.rsrc.........`......._.............@..@.reloc..(....@b......Ra.............@..B........................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xml

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3430
                                                                                                                                                                                                  Entropy (8bit):3.577875788113156
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:yei1q97/qlLaq4i77cMUF39Qg9c9V9Lvara+iaiusupRCRf9ufAuRa7T5XhPsV8n:t2ll4i77h4iGdiaipV9ll7dhFF6+
                                                                                                                                                                                                  MD5:9E02EAF2592DE18E8058FD254C89FAD5
                                                                                                                                                                                                  SHA1:EB5FCE36FC938929D27348CA9B0040CFED0FF8B4
                                                                                                                                                                                                  SHA-256:870D3C739BEB158446DEEED2B5C92854C2726A92B3294F0C07C52AE65CD51ED1
                                                                                                                                                                                                  SHA-512:5C82E7D21BA6D828EED7BF9F313C864AB59DE695DF4B62D31DD2CCB838B60E65C7EEAB56606CBBBE8FBB11A4D70ED42D1D10F3EA9834B5203BBD5B6067648226
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.0.-.1.1.-.0.4.T.1.1.:.5.9.:.4.6.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.W.i.l.d.i.x. .s...r...l...<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e. .u.p.d.a.t.e. .c.h.e.c.k.e.r.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.C.a.l.e.n.d.a.r.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.0.-.1.1.-.0.4.T.0.1.:.0.0.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . . . .<.R.a.n.d.o.m.D.e.l.a.y.>.P.T.5.H.<./.R.a.n.d.o.m.D.e.l.a.y.>..... . . . . . .<.S.c.h.e.d.u.l.e.B.y.D.a.y.>..... . . . . . . . .<.D.a.y.s.I.n.t.e.r.

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\dotnet-dump.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5319784
                                                                                                                                                                                                  Entropy (8bit):6.624489203238988
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:IDTNbgZbsK5pM9TJFppvgKnkt21tgJEyacq0+W3Ua+zxn1OqH:YJbNFF/gV/17sOA
                                                                                                                                                                                                  MD5:1529A91171C5E94E3053B933E4244417
                                                                                                                                                                                                  SHA1:1E7340E648898F396E39F86A5CC37AD396FD4918
                                                                                                                                                                                                  SHA-256:9CC8F2C258EE3E9A0B15D6F289B27EA96992ADBAB92428A04BAE0A258FAF78BD
                                                                                                                                                                                                  SHA-512:3FB39B3B3620B818FFD28932855E397F3EF5AD151CE396A4A650823F711065F49709013D6DED8268A7A29FFD989C372F4AE3C2CAAA7F5D51124E2A39AF05ACFC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V.......[.......k.......v..._.W.D...9..._...V..........[......W...RichV...........PE..L......`.................P...................`....@..........................P......e.Q...@.......................................... ................Q.p*...0......p...T...................h...........@............`..(............................text....N.......P.................. ..`.rdata.......`.......T..............@..@.data... ...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23812
                                                                                                                                                                                                  Entropy (8bit):5.102231290969022
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:ILAp44CzsyQKElOR2x96a7zXql8wYNz6FkjzEgqgF6Lvztmm/jb5/R6B3VjMcBU0:ILAe40VxYJ7zvWrfZmujb5mVjlQrlGwI
                                                                                                                                                                                                  MD5:D46A5DFAB2AC1BB5BF39D4E256E3AB43
                                                                                                                                                                                                  SHA1:FD19097E89D882E5624E8822FF8D7518D104B31C
                                                                                                                                                                                                  SHA-256:0E93309B477971AD9D744FB1BB6AFDE1AF7D31223E90B5E8A4E5EA13CC5B8CD9
                                                                                                                                                                                                  SHA-512:FE6C5CD5DA0E045E9F823D34E393E158F56A3136966971F0D494092257956FBEA29ACC98E94B50AA785CF426DBACDAFFCC0B0F7872E7F63A2F270A174C0F4BCA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:*% stddtype.gdl - this file contains templates that define all MS standard datatypes..*% that appear in GPD and GDL files.....*PreCompiled: TRUE......*% ==================..*% ==== Macro Definitions ====..*% ==================....*Macros:..{.. LIST_OF_COMMAND_NAMES : (.. *%.. *% GENERAL.. *%.. *% the following are not enumerated here because they require.. *% the full Command structure. See Template: ORDERED_COMMAND.. *% and its descendants..... *% CmdSelect,.. *% CmdStartJob,.. *% CmdStartDoc,.. *% CmdStartPage,.. *% CmdEndPage,.. *% CmdEndDoc,.. *% CmdEndJob,.. *% CmdCopies,.. *% CmdSleepTimeOut,.... *%.. *% CURSOR CONTROL.. *%.. CmdXMoveAbsolute,.. CmdXMoveRelLeft,.. CmdXMoveRelRight,.. CmdYMoveAbsolute,.. CmdYMoveRelUp,.. CmdYMoveRelDown,.. CmdSetSimpleRotation,.. CmdSetAnyRotation,.. CmdUniDirec

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDNAMES.GPD

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):14362
                                                                                                                                                                                                  Entropy (8bit):4.18034476253744
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:NcThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:xFzOnS7z0
                                                                                                                                                                                                  MD5:CD0BA5F62202298A6367E0E34CF5A37E
                                                                                                                                                                                                  SHA1:0507C7264281EFB362931DEB093308A5CC0F23A5
                                                                                                                                                                                                  SHA-256:B5E8E0C7339EF73F4DD20E2570EE2C79F06CA983F74D175DBE90C0319C70CE3A
                                                                                                                                                                                                  SHA-512:0DA97D886BBF6E06BDEF240B0CA32E80ED56140349902F2A58FCD00A95F85AEDEABB779CA99308DA39E995BDB7C179E2D7A0705643AF609EC7E05323964851F8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_DISP

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):59116
                                                                                                                                                                                                  Entropy (8bit):5.051886370413466
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:UH8K0RGmALhTYi6AmdDsaCXmSsUN2xHXgutLSsy3o+ndhr54:UH8K0RGmAd58D+iLBHad4
                                                                                                                                                                                                  MD5:FC574EB0EAAF6A806F6488673154F91F
                                                                                                                                                                                                  SHA1:E10B44CF7082FE5BE23FB0C19AC792D4692F6388
                                                                                                                                                                                                  SHA-256:941E5318D8BBD747AFA98982C0354516079175ACD3D7485F327BCC384F4FCFB8
                                                                                                                                                                                                  SHA-512:A04CAC69A4DD4BD951CDC0F5186A3F589DA2EA40D667BE855F9E5AED12ECD9F7FC79FD624361C9563A07A5DCC1250CBD628BA27A0FAD78D599CD68540F9B4F45
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:*% stdschem.gdl - this file contains templates that define all MS standard keywords..*% and constructs that appear in GPD and GDL files.....*PreCompiled: TRUE....*Include: "stddtype.gdl"......*% ==================..*% ==== Base Attributes ====..*% ==================........*Template: DISPLAY_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_CODEPAGE_STRING.. *Virtual: TRUE..}........*Template: ANSI_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_NORMAL_STRING.. *Virtual: TRUE..}....*Template: DEF_CP_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_DEFAULT_CODEPAGE_STRING.. *Virtual: TRUE..}....*% ==================..*% ==== Root Attributes ====..*% ==================....*Template: CODEPAGE..{.. *Name: "*CodePage".. *Type: ATTRIBUTE.. *ValueType: GPD_NONNEG_INTEGER..}....*Template: GPDSPECVERSION..{.. *Name: "*GPDSpecVersion".. *Inherits: ANSI_STRING..}....*Template: GPDFILEVERSION..{.. *Name: "*GPDFileVersion".. *Inhe

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2278
                                                                                                                                                                                                  Entropy (8bit):4.581866117244519
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:IO673u+3WSnMVfIPQMAPFq+AP3hM927Kc509OD8jQV0Ucn05NKYKd5NK3Kr59:IB7zmrAPMtc6927e9OQEV2EPSQg/
                                                                                                                                                                                                  MD5:932F57E78976810729855CD1B5CCD8EF
                                                                                                                                                                                                  SHA1:50D7145076D422C03B924DD16EA237AC9B822F0E
                                                                                                                                                                                                  SHA-256:3B9BE4E69B022DE9D0E30EDE70F292F3DF55AB7BE36F134BF2D37A7039937D19
                                                                                                                                                                                                  SHA-512:023848F6CE826EB040EA90C8319BBF1AC26E16B66BD9470E197B3A02DAE00AE9A177996E6B069F42BC54FBF28AE7F96CCC10CF331C13B54CCF12990311F30D73
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:*% stdschx.gdl..*% this file defines the parts of the schema that are dependent on..*% preprocessor defines.....*% Since this header relies on passed in Preprocessor defines, it must not be PreCompiled...*PreCompiled: FALSE....*Include: "stdschem.gdl"....*Ifdef: WINNT_50.. *% and above .......*Template: PRINTRATEUNIT..{.. *Name: "*PrintRateUnit".. *Type: ATTRIBUTE.. *ValueType: EDT_PRINTRATEUNIT..}..*Template: PREDEFINED_PAPERSIZE_OPTION_2 *% Additional papersizes.. *% for NT5.0..{.. *Inherits: V_PREDEFINED_PAPERSIZE_OPTION.. *Instances: (.. DBL_JAPANESE_POSTCARD,.. A6,.. JENV_KAKU2,.. JENV_KAKU3,.. JENV_CHOU3,.. JENV_CHOU4,.. LETTER_ROTATED,.. A3_ROTATED,.. A4_ROTATED,.. A5_ROTATED,.. B4_JIS_ROTATED,.. B5_JIS_ROTATED,.. JAPANESE_POSTCARD_ROTATED,.. DBL_JAPANESE_POSTCARD_ROTATED,.. A6_ROTATED,.. JENV_KAKU2_ROTATED,.. JENV_KAKU3_ROTA

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRV.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):532080
                                                                                                                                                                                                  Entropy (8bit):6.370246167881384
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:/TIJ/Cq6XA1T9hPGhV9mid49b9spV7LDbTz5w:/UJ/Cq2IT/PiP4dapV7LDtw
                                                                                                                                                                                                  MD5:1D574CE34B4086B8440B578497E4BAC6
                                                                                                                                                                                                  SHA1:F7C55619F693CC6465B8B877C2F9E533CB84712C
                                                                                                                                                                                                  SHA-256:BDCADB517FDB16078F999701B3A59CA75687CDE474F9770DF2E86AE41F9E962A
                                                                                                                                                                                                  SHA-512:FB1B70C392A1E292C181C3EB4C072BD56FFFAA6674025FEB86EBDC772C98CC443D8DFC7325C84E19CB41269303D8C583A44841F938F03CC517DD25E68359560F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.....c...c...c.......c.....!.c.......c...b...c.......c.......c.......c.=.....c.......c.......c.Rich..c.........PE..d......R.........." .....d..........p........................................0......G.....`.........................................Xp......X....................K......p*... ..h...00..8............................p..................X............................text....c.......d.................. ..`.data................h..............@....pdata...K.......L..................@..@.idata..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRV.HLP

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21225
                                                                                                                                                                                                  Entropy (8bit):3.9923245636306675
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                                                                                                  MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                                                                                                  SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                                                                                                  SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                                                                                                  SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):919664
                                                                                                                                                                                                  Entropy (8bit):5.991555850090375
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:uH0ARc8QCfjeDUr73Tx1yfhPXgFQ3Qe5w1lwAAwoTLARTsBqC+Zo:u7Hdv3DyfhP2QgYPwo3ArVo
                                                                                                                                                                                                  MD5:816DDBD6F052DEBFCE5B7EEAE4E789FD
                                                                                                                                                                                                  SHA1:1DFD070CAE07E271233AF20236831DC58B3BADB6
                                                                                                                                                                                                  SHA-256:727FFB5B2BF5BDFFFBD090FD83911F731BB6776571ED1377F2139899709C51F0
                                                                                                                                                                                                  SHA-512:6A02DA315AD7E886FDC4C43C0F63409A41735FB409F144DAA04422648E45FA9E7A523CF326612412C96D3E03D451F10A2BDFEB2B6BCAD7A6D8DC474281A5978D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.+]Q.x]Q.x]Q.x...x\Q.x...xfQ.x...xMQ.x]Q.x.Q.x...xHQ.x...x\Q.x...x.Q.xz..x\Q.x...x\Q.x...x\Q.xRich]Q.x........................PE..d.....}R.........." .....T..........t........................................ ............`.........................................._..{...............H........1......p*..........0................................................................................text...KR.......T.................. ..`.data....+...p...&...X..............@....pdata...1.......2...~..............@..@.idata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIRES.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):856688
                                                                                                                                                                                                  Entropy (8bit):5.596774833480957
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:r9aBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinL2U:paBEGbL4Np84TQazCSiR2U
                                                                                                                                                                                                  MD5:A64216C3C9E82E1C6D0B5CD8020D3ABD
                                                                                                                                                                                                  SHA1:5FC65E59EEEE9C5F1682E4EDB4C5D9EF69FCED88
                                                                                                                                                                                                  SHA-256:56DA81C0EABE8505A96A41BA69A3DB13F30E247C39B1393CFE65C9578E47A9EC
                                                                                                                                                                                                  SHA-512:079CFACC36CF4EA6E24A61B539C1A2EBC04DAE2AC93FE8EC372FA5E8934C9F93BEBC4C47188E7EC95D306ACB0E8A2C3FA2AC8605A378F30AD8C634B457168B83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R..3}..3}..3}.H...3}.H...3}.Rich.3}.................PE..d......R.........." ................................................................@.....`.............................................................0...............p*...........................................................................................rsrc...............................@..@.........................................D..8.......P.......................@...........................................r.......s.......t.......u.......v.......w.......x.......y...................................H...............................8.......x...............................................................................0.......H.......................`.......x....................................................... .......8.......P.......h...........................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\imgprint.gpd

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7996
                                                                                                                                                                                                  Entropy (8bit):5.128824009655858
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:Iwr2yWGyAH155NpoEdyb76f8upG2sIkQTkpfpBnquMpBnqF5zqps2dXRSXjKMoy8:IHa1Hj7k2sI90mHmF52pbye9U/Prtk
                                                                                                                                                                                                  MD5:9CB68B693CDCDF5E9E5707E3CABCA7A7
                                                                                                                                                                                                  SHA1:29A5537387519BC14138F02C5355EAB2EB923AA3
                                                                                                                                                                                                  SHA-256:D79405A4F2A390407B78B1DC7FEEBE3A533EA9969F6066F5A12F189502D900F0
                                                                                                                                                                                                  SHA-512:765EDDDD3CE8995DC66AB5578462F12CD52007FDEBF3C6DE412BAF4C094E17FDB286BDEB0A6ECC6FE2347C0BB846F4D2A206DD78BC128111E84918F50B57E7F8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:*% ..*% ..*% ..*GPDSpecVersion: "1.0"..*GPDFileName: "imgprint.gpd"..*GPDFileVersion: "3.1.0" ..*Include: "StdNames.gpd"..*ModelName: "Wildix FaxPrinter"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 99......*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l0O".. }.. }.. *Option: LANDSCAPE_CC90.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l1O".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: MANUAL.. *Option: MANUAL.. {.. *rcNameID: =MANUAL_FEED_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "<1B>&l2H

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\wfaxport.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):940144
                                                                                                                                                                                                  Entropy (8bit):6.458898363798956
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:5pcIN4eGbIp0dMAonEWorRdvfd+Xu6VrZUcu2jRwzjeL7i8XVbsT3zpf3ygLuITz:5pv2OrkeL+8U3zpvyOuARXwo1
                                                                                                                                                                                                  MD5:1DED360B71C4C83EB10B0C08B6597C9E
                                                                                                                                                                                                  SHA1:80CC899D7CC2483B01185CD528210A399C76DBDD
                                                                                                                                                                                                  SHA-256:D9B43DF509EE41A62E74241A541723E309FA5A4470E3132E7DD2C54314DF4E2D
                                                                                                                                                                                                  SHA-512:45616968A18B7789F9256CFD7E2023D6644A34B5F29ADF138E058BBDCDC2231FA3DC37DD28796F85AB1D63E60F9E9C8C010AEE162DAC9031B0E605C463966A78
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.<..so..so..so.|pn..so.|vn..so.xwn..so.xpn..so.xvn..so.|wn..so.|un..so.|rn..so..ro..socxwn..socxvn..socxsn..socx.o..socxqn..soRich..so........PE..d...H.tg.........." ..."..................................................................`..........................................5..p...`6.......`..p........~......p*...p..l.......T.......................(.......@...............p............................text.............................. ..`.rdata..............................@..@.data...4x...P...X...:..............@....pdata...~..........................@..@_RDATA..\....P......................@..@.rsrc...p....`......................@..@.reloc..l....p......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfu

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):306752
                                                                                                                                                                                                  Entropy (8bit):6.141499008290493
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:pgwRUnZJgqtQ4pVbo2Vpm0Uf0iTVeZz7YN5Aq6B0O7G36cPQ6ONU0lOXbu:CzZD0X15Yv8Oq6B0OgPfOy0lKu
                                                                                                                                                                                                  MD5:4F95ADAFA7E0E034EDF87B2BFDC4CDFA
                                                                                                                                                                                                  SHA1:E6422B41682E01BAFC3D36B20F5113F8691D83EA
                                                                                                                                                                                                  SHA-256:45EEC2C2BC825849E9EA8DAC2F2E6EB76353DB498EE74788CDAB82BC7F42625B
                                                                                                                                                                                                  SHA-512:BAB4849A4E5BEC7895CA657C2E642D926DB897987B73E9B615F3C7C35EB58AB0E3E17D7F3EFE4A88382052C0E14F32082804EBC4744724CA4755A9C336500125
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:CSR-dfu2..0.....signed stack+app ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................2C.......@...................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfu

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):894220
                                                                                                                                                                                                  Entropy (8bit):6.412259430484631
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:byUN9kmRr6Ps+2GfGshqM6LcX95Efz4F0BOU0H3Y4G3GUrBxK8Xzg02/HxKJT:Dr1E+JMycX95EfzD0fexBxK8jX+wx
                                                                                                                                                                                                  MD5:F80C203D2184BE4E9CDA039C517F1556
                                                                                                                                                                                                  SHA1:2FE1E31B80688B88DEF0CF9AD1193C5D41C2645F
                                                                                                                                                                                                  SHA-256:F40F0499B23D21C2C24DB452A5482DBD36957935F593DD4D60935DE2550B1EEB
                                                                                                                                                                                                  SHA-512:A0F7A12F2A600A7796678E1C279D04A88FFF4118A9B4372719E5A1FB674D5EECA993548EEA79C376AB1D872EB6ECD2D8F87C7898C96E11842190EFDF0FCE0040
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:CSR-dfu2........signed stack+app ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................2G...N.......................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):72304
                                                                                                                                                                                                  Entropy (8bit):5.55290876998526
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Pm17Ztk6tdWavOgwfMwob8tOb6K1L7S1Un:PK7HkQvOgwfT9Sb1fS2n
                                                                                                                                                                                                  MD5:1340C9F8BF2A24074FF43CB663983AC4
                                                                                                                                                                                                  SHA1:3BCF98D2D6FDA3A5BA47BF37F8B462E5683E0BD2
                                                                                                                                                                                                  SHA-256:ED2448275402FD4F4F945B121B386168F0F40DDC09B33CEA0D2C42ABB1C78AE4
                                                                                                                                                                                                  SHA-512:A0022237AA0211659609CF0F2188530C141ED5B7AF994A3A27CACAB6DE71D3D81863DF3E6AEB8661E5A593403439668DF9EAFDB7F0814364960ACC0FF135ECE9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G...&...&...&......&......&......&...^;..&...&...&......&......&......&......&......&......&..Rich.&..........PE..L.....kQ...........!.....P...........Q.......`......................................P...................................;...pu..x.......d<..............p*..........................................0k..@............`...............................text....M.......P.................. ..`.rdata...%...`...0...`..............@..@.data...(...........................@....rsrc...d<.......@..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24688
                                                                                                                                                                                                  Entropy (8bit):6.923218305340772
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:CjEds+4wmIm0eAk582ADib6MIysSoQuSE:RdifnX8tOb6MI1L7SE
                                                                                                                                                                                                  MD5:50F7B26074413150020CBBC07323B58D
                                                                                                                                                                                                  SHA1:35AD00A36CF8DBC90E6E38931E6EA14C02BF1440
                                                                                                                                                                                                  SHA-256:683D0127506E21F29F8F3CB51ED6955B39832D19BFADFC0E845AFD58C5738799
                                                                                                                                                                                                  SHA-512:659A23E20AAA062D176AC982A50CFE46B247C13F0F8B05C8F41B8DB0F7637A4102AF79DC4DCEFA0B7890E1DA4DD87E63510634464FDAB4EFF0538AFDEE9845AE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......]...]...]3$.]...]3$.]...]..]...]3$.]...]...]I..]3$.]...]3$.]...]3$.]...]3$.]...]Rich...]........PE..L.....kQ.....................................0....@..........................p...............................................6..d....`...............6..p*..........................................85..@............0..0............................text............................... ..`.rdata.......0......................@..@.data........P......................@....rsrc........`.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):490096
                                                                                                                                                                                                  Entropy (8bit):6.084433322393528
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:N6KTZsHDwx0TCAQpFTfnPyFVrCqq/KrnahQ+Nnq0B/aNOjMQpynpPQ:rsHDG0TM6sKGhQ2nq0iQUY
                                                                                                                                                                                                  MD5:A7AF473BDC6493C11CE071B11E324E5A
                                                                                                                                                                                                  SHA1:2788D07F0D5CB3C56E845905A5669603F37159A6
                                                                                                                                                                                                  SHA-256:566DC91237523877C6D5ACA8B5B5E7145937982A5409C78F148E18390DDDE069
                                                                                                                                                                                                  SHA-512:18293FD7C26E00490AACBF0DEBC8A1E05C6734E0546A8F12C3EE8067D232CEAC77DF269237736A956741B4D350852EF33F909600C77B4FE8392F802AB8974840
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-9/.iXA.iXA.iXA..W..mXA.iX@..XA.N.:.lXA...?.hXA.N.<.hXA.N.,.fXA.N./..XA.N.;.hXA.N.=.hXA.N.9.hXA.RichiXA.........PE..L...I..M...........!.........@......DT............L|................................[b....@.............................c ..d...d....................P..p*.............................................@...............................H............text....x.......................... ..`.rdata..cX.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..N$.......0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):559728
                                                                                                                                                                                                  Entropy (8bit):6.452474379327697
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:XZY4lOHMwLwXBt+iaKst/Ua/hUgiW6QR7t5j3Ooc8NHkC2eWzp:XZY4lOHMM8wifstjj3Ooc8NHkC2eep
                                                                                                                                                                                                  MD5:E353CFB37F8EBCAA044FEF89AD1B59F3
                                                                                                                                                                                                  SHA1:F751BB2E7ED3DF10EADC73A780798C94D2EC10D8
                                                                                                                                                                                                  SHA-256:81EEFF257350C01742D16971501A54755A97DD441FF91E912958F068C1763448
                                                                                                                                                                                                  SHA-512:6D6CFE50E3DC87D45F25000FC992ACD3CF564A5CC928FFA3BEB99E799F528618174DE042EDCB31A73AA736CE69159A690B8D532CA1134D11134AA85F06293FE5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...l..M...........!.....@... ...............P....B|.........................p......#.....@.............................L...T...<....................`..p*... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):637552
                                                                                                                                                                                                  Entropy (8bit):6.8685472952194955
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:fxzh9hH5RVKTp0G+vphr46CIFt0yZmGyYG/q:fph9hHzVKOpRFHmGyY2q
                                                                                                                                                                                                  MD5:D0DE1837CAAEDD6D0EB2E7DFE3A16601
                                                                                                                                                                                                  SHA1:FF8729A83E98CA5DFC09C8BE65FCE9C45DB536A2
                                                                                                                                                                                                  SHA-256:B6C7F4CB86FFA0CB076C55D659F390DF2F62A6D3FA5A896281A43E6109F77DEB
                                                                                                                                                                                                  SHA-512:44C02013F4D5569F35E89C783BCC2B14C3F79FE61011656FE15B57846E99343F404C3057A006D45B83678DCFBAE269E9555D6A946A355CC47D24E5AD00F33AB3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L......M...........!.....0...p......+#.......@.....x.................................F....@..........................q...~..Pc..<....`..................p*...p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):701552
                                                                                                                                                                                                  Entropy (8bit):6.836069284857721
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:th1wtmDyLuDTFn3nLjTwDFbT82hs8mVY/P3WaNi6nS4zAEgMWPznF9SHaneX:n1wtmDyLghn3nLjYFbIv8d/fs6S4zA/u
                                                                                                                                                                                                  MD5:E14902AD1CF232867326AF9C91830B51
                                                                                                                                                                                                  SHA1:772FF493E1DD52B4B9399841E7DF7FCADFDD2A26
                                                                                                                                                                                                  SHA-256:DA7C567F81C6E5206858B9C3AD844950CE804CD42FD26823A862D6C8D413A558
                                                                                                                                                                                                  SHA-512:0DBB5438D6B448283ED379793DB205FC2E481144BC5BE6D91A54B1F9912E5C813341ED1AB53DDDD6715A64085A3FFA9BF97A07CADBE64E7228F142CE8182C0E6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gR.......................W.............#.............u.................Rich............PE..L..."..N...........!................r..............o......................................@.........................H ...t...........p..................p*.......2..X...8...........................p...@...x........................................text............................... ..`.data....h.......d..................@....rsrc........p.......R..............@..@.reloc...2.......4...V..............@..Bb..N.......N....a..N....a..N$...b..NH...a..Ni...b..N....a..N....a..N....b..N.......N....b..N....b..N=...b..Ne...b..N....b..N....b..N....b..N....a..N#......N....b..NM......N....b..Np...a..N.......N....b..N....a..N.......N............KERNELBASE.dll.ntdll.dll.API-MS-Win-Core-Console-L1-1-0.dll.API-MS-Win-Core-DateTime-L1-1-0.dll.API-MS-Win-Core-Debug-L1-1-0.dll.API-MS-

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\proxyex.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Tue Dec 31 14:42:44 2024, mtime=Mon Jan 13 15:37:15 2025, atime=Tue Dec 31 14:42:44 2024, length=16788080, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):928
                                                                                                                                                                                                  Entropy (8bit):4.616827446145355
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:8UC0YX1+h9JTkdpF444cEnKTpYsKr/Fcp/jAt73lPDRbbdpo8RGHaBaZBmV:8qkdkupYsYKA7BdRG64ZBm
                                                                                                                                                                                                  MD5:5F7F9F9B94680F677C504CC6CB9A9FF0
                                                                                                                                                                                                  SHA1:CD4C2981463EAE72821FE7CE7669CDD5A2547C1D
                                                                                                                                                                                                  SHA-256:F791629F7FE000FBCED75D39F03EF1E2BFE407937F68028957BFAF7B932DFC1B
                                                                                                                                                                                                  SHA-512:547CC315EDF1205D4AD34F0123C159D21E8CC881D39D76F0636C48D13741F3661D08AD7E5180C6FE5825D60E1C287F746F14EF0F5A62D91400FC58BF176047F9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:L..................F.... ........[...$Cg.e.......[..p*...........................P.O. .:i.....+00.../C:\.....................1.....-Z....PROGRA~1..t......O.I-Z......B...............J.....R...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....-Z....Wildix..>......-Z..-Z.......C....................eL..W.i.l.d.i.x.....\.1.....-Z....WISERV~1..D......-Z..-Z.......C....................{I].W.I.S.e.r.v.i.c.e.....h.2.p*...YV} .WISERV~1.EXE..L......YV}-Z.......C........................w.i.s.e.r.v.i.c.e...e.x.e.......^...............-.......]....................C:\Program Files\Wildix\WIService\wiservice.exe......\.w.i.s.e.r.v.i.c.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e...-.-.p.r.o.x.y.e.x.`.......X.......301389...........hT..CrF.f4... ...V......,.......hT..CrF.f4... ...V......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\resources\cdr.db

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039004, page size 1024, file counter 3247, database pages 22038, cookie 0x1c6, schema 4, UTF-8, version-valid-for 3247
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22566912
                                                                                                                                                                                                  Entropy (8bit):6.156856755685782
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:LweRjXxSuAId92j0CeSg0np8atm8SsANGC1KuD1+U68rNMgT9A4VMD5uuTopBtlw:DyhI8GUp8atPOG6VhvcgIHRH
                                                                                                                                                                                                  MD5:3241A121BCF26F5E8B36663E3056B2CA
                                                                                                                                                                                                  SHA1:FAF689142817E79961EE45D61D40EF0204488D89
                                                                                                                                                                                                  SHA-256:DE37FC1A3B827F05BFF563D523CBA8007272462C24C9C1939F9B1FD13F789088
                                                                                                                                                                                                  SHA-512:03530AE86E5342FF84494BEF17EEDE041D918A0193357711076649493B9020A5729CCF0737BD226B8A32ED7D88E342316050DEE9C8CD13A3AE281C2B7FE2C562
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:SQLite format 3......@ ......V..................................................................._...........V.............................................................................................................................................>.......StableFILTERSFILTERS.CREATE TABLE FILTERS (...ID BIGINT NOT NULL,...NAME VARCHAR(128) NOT NULL,...DESCRIPTION CLOB(2147483647),...STATE CLOB(2147483647) NOT NULL,...PRIMARY KEY (ID)..)-...A...indexsqlite_autoindex_FILTERS_1FILTERS.........w...##..5tableEVENTS_TAGSEVENTS_TAGS.CREATE TABLE EVENTS_TAGS (...EVENT_ID INTEGER NOT NULL,...TAG_ID INTEGER NOT NULL..).n...%%...tableEVENTS_STATSEVENTS_STATS.CREATE TABLE EVENTS_STATS (...ID INTEGER NOT NULL,...DAY INTEGER NOT NULL,...DATE DATE NOT NULL,...MIN_ID INTEGER NOT NULL,...MAX_ID INTEGER NOT NULL,...COMPLETE TINYINT NOT NULL,...PRIMARY KEY (ID)..). ........tableCLASSESCLASSES.CREATE TABLE CLASSES (...ID INTEGER NOT NULL,...NAME VARCHAR(255) NOT NULL,...NAME_LOWER VARCHAR(2...86...+,.

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\websocket-sharp.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):261232
                                                                                                                                                                                                  Entropy (8bit):5.839129701085833
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:8LixO6zz8t4OXDegbQy058MP2pZrCmrrDse0ecdfF7b2gqEiyDvSmqtNlVusC51E:Dn8nDenoRXoJF3bqEiyzZ5m1FsgUNu1
                                                                                                                                                                                                  MD5:B43803E3279FAB53E4393FBBF40B1949
                                                                                                                                                                                                  SHA1:ACA0E59D227808534303708354D2FD4AA2B356DB
                                                                                                                                                                                                  SHA-256:2B2E4F436377B7770071FD387ABE01B9D7088214E43718C9827D82E4BEA31BE6
                                                                                                                                                                                                  SHA-512:ECFBB03CAC1203927A6E21267C8198A62B359CCCF2A3E0EF4D9AA3C0B0A075F43D0E6B7FFFE2E225A170ABBA122BC62FF38A8682E64886CEDDF6B0236CE325A8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xW...........!................~.... ........... .......................@......{.....@.................................,...O.......................p*... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H...........H...................P ...........................................)....[.W......Ok.I.....&.R..m.....I}.t...kf..b!.g....$..C....H..R.:,.L..0.3.....L.R#YP.....IL1.i(...A../G..%........0..9.........o.....j.......-...+ .s......(.............-..o........*............&.......0..q........s......o.....j.......-...+R..jo........s........ ....(......o......~......o.......jo...............-..o........*...........0^.......0..,.........(.......o......o.............-..o.

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wildix-oi.ico

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows icon resource - 13 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):175221
                                                                                                                                                                                                  Entropy (8bit):3.6057445859805903
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Fpznextut/yGjfT8nUa/XIHlbeA5yN6zHW156G6:vzeytxjQ9XA53HW15x6
                                                                                                                                                                                                  MD5:CE4C0FAC424ECDAFD490544CF10593B6
                                                                                                                                                                                                  SHA1:96B32682A928D5A9229B93586478A31E08B423F4
                                                                                                                                                                                                  SHA-256:A9BAE457E58D8BAB5FB10A3A6AE67D4453CECCECBE81C5AD066E86AAFD11A45A
                                                                                                                                                                                                  SHA-512:0F1BBF2C115CB9128594647FB9138B876E896B01CC86237EB00A695E38671955D718C4F9A712B4C0DD6CD40C99ABBC00B0442E5B192562B622EB3B9A660B228F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:......00.............. ..........~...........h...&......... ..J............ .(....h..``.... .....Ep..@@.... .(B......00.... ..%...G..((.... .h....l.. .... .....%......... .............. .....U......... .h.......(...0...`...................................K...]8..d;..f>..^4!.g@..jD..nH!.rM'.sO*.vR-.pN>.yV2.{X5.|Z6.~\9..^<..Q...V...\...Y...]...^...b...a...e...e...i...h...l...g...j...j...m...f...i...n...n...n...o...u...q...s...u...q...t...u...x...r...t...v...q...u...y...x...|...{...~...}...w...x...y...}.......y...x#..a@..fF..iJ..oP..pR..sV..vX..z^..~c.................!..!..+..+..,.....1..6..3..5..=..7...9..=...g...j...m...l...r...w...|..D..K..I..L..L..@..I..O..T.._..p..u..v......................................................p[...t...................1...Q...q.................../...P"..p0...>...M...[...i...y....1...Q...q..................../...P...p.................... ...>1..\Q..zq...................../...P...p.!...+...6...@...I...Z..1p..Q

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wildix.ico

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows icon resource - 13 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):99667
                                                                                                                                                                                                  Entropy (8bit):6.776502745804188
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:RcfWrQG1GFkTvQnKKjRCFpgqmKN5+x3pJY:ufct1GF9n6FKqmrx3pi
                                                                                                                                                                                                  MD5:8F898251C85EE83FE4CEF753AD127FEE
                                                                                                                                                                                                  SHA1:965419910C1929CF695C530456950616B85596C5
                                                                                                                                                                                                  SHA-256:31DEE18EA1C5E7723DB0C13C630517963E79930474B275322A0CDE686C5953B5
                                                                                                                                                                                                  SHA-512:4397158E3EBA45B7CD27E931F353D72042B154416036874824CC1469FA9D533C4E67B7ED81A0A9EDB480F667A9716AE999D54B3F36EA1375344BB0E944AC8102
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...... ......................(.......00.............. ......................h...6......... .-....!..@@.... .(B......00.... ..%......((.... .h....E.. .... ......`........ ......p........ .....3z........ .h......(... ...@...........................................................................................................................................................................`....o...................o...l..........lo....................o..........................................h....h....................................o...o...........o...............o...............o...........................o..........................l.......................`...............o.....h....|.....................................o..........................`......................h................h.................|g......................?...................................................................................................?............(....... .................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wiservice.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16788080
                                                                                                                                                                                                  Entropy (8bit):6.685932138686767
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:196608:cuNY9QWMli9PtASPB28MjMwKQLiUrqu3he/a86CDkG:cuCWi9PtxBzQLNR0a8/DkG
                                                                                                                                                                                                  MD5:D62710F3678538E483FFC7EA112D7F68
                                                                                                                                                                                                  SHA1:54212AF34D394BEF6620C2D2CBB874660EBBE523
                                                                                                                                                                                                  SHA-256:0F4903937AD02B65A212319365DE974F7B6529201343271B2E4CEC76A03522EB
                                                                                                                                                                                                  SHA-512:81CE8E21FB80EDD29CDCF890FF694D3D4FB5242B18EB7DDD882AC46978B259D27F636914A0F059556FBE9D8EA7A3103EDF1C6AC6300F81C2891EFBE90B3F6F43
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........5...f...f...f..g...f..gZ..f..zf...f..g...f..g...f..g...f..g...f..g...f...f...f...f...fp.g...fp.g...fp.g...fp.xf...f...f...fp.g...fRich...f................PE..d.....tg.........."....".p....R......>.........@.............................P......O.....`..................................................|..X....p..0...............p*...@..........p.......................(...p...@...............h............................text...*o.......p.................. ..`.rdata...V9......X9..t..............@..@.data...............................@....pdata..............................@..@_RDATA..\....`....... ..............@..@.rsrc...0....p......."..............@..@.reloc.......@......................@..B................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files\Wildix\WIService\x-bees.ico

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):207760
                                                                                                                                                                                                  Entropy (8bit):6.4085333829790425
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:4xJ/R9PV9qWAEWgX+RyhJs1DC0/R2eGHSWCICTDCqK79yUiG7F3kzudR1aw9M0TU:4n/R999qWAEWgX+RyhJsVC0/R2eGHSWU
                                                                                                                                                                                                  MD5:F214B5E008F3D23F4F01951247BAE991
                                                                                                                                                                                                  SHA1:DB7928B37992CD0635AB5FC1E89547C6BE813B55
                                                                                                                                                                                                  SHA-256:CED79B247B0C8DE449312B7CF5690E8E9DA968F22CC722DA70124BDF2A84C427
                                                                                                                                                                                                  SHA-512:FA5211DF2922ABC3C5091E2098DF5FAD9681E2CDC8A3287AEC49F8694B11B776A2001DED052995A34E5EF52B55A207E6069393DD9BAAEFB82CEFC98824BC7774
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ .:...Vx..(....... ..... .........%...%........................................................................................................................................................................)B..)B............................. ........................#3..R...U..."1........................."...!... ................Dt..]...a...Jw.........................$....!(..0O...H......*;..l...m...r...z...):......5I..;R... .....%....L...i...m...Q...$...Fo..S...U...Kq.."+..i...........w......(....>l..l...v...x...Iu..n...v...{...y...Tz..............Ut.....*...' ...=a..k.......m...?[..b...d...B\..............Ke.........+!..* ..)..."*2..R...a...e...........m...r...b...'..............-"..,!..* ..)...'...#"!..Y...o...s..._........................../$...#..,!..* ..)...'....F^..........H^.........................1%../$...#..,!..* ..)....Ni..........Ph.!.

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIService\Uninstall.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Dec 31 14:43:18 2024, mtime=Mon Jan 13 15:37:13 2025, atime=Tue Dec 31 14:43:18 2024, length=162168, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1955
                                                                                                                                                                                                  Entropy (8bit):3.4282359727330247
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:8pkdn6Gmb+ERGhdahidVdahB2dahDE7H:8O6Gmb+XGhThBXhDE7
                                                                                                                                                                                                  MD5:7DDAC3E42ACE7C9B3BBA8295594A9186
                                                                                                                                                                                                  SHA1:974F3E941F8D53FC988460F69EED8E48D7500465
                                                                                                                                                                                                  SHA-256:4E04BE6281B4525D051BE1A0F4B29652168D5E15E85E3BE8FC00B4F5FF2F21BC
                                                                                                                                                                                                  SHA-512:78066B91C044BED6B144691664AC970C87545EFB78D46C05AC68830A016850BCE082B48147CE52C9ED6C731F8DF67921F6ED454939353EF8FE28B251BA7C3562
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:L..................F.@.. .....Y..[....)f.e....Y..[..xy...........................P.O. .:i.....+00.../C:\.....................1.....-Z....PROGRA~1..t......O.I-Z......B...............J.....R...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....-Z....Wildix..>......-Z..-Z.......C....................eL..W.i.l.d.i.x.....\.1.....-Z....WISERV~1..D......-Z..-Z.......C....................{I].W.I.S.e.r.v.i.c.e.....z.2.xy...Yi} .UNINST~1.EXE..^......Yi}-Z................................U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e.......g...............-.......f....................C:\Program Files\Wildix\WIService\UninstallWIService.exe..J.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.\.U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.8.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.\.U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e...

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegAsm.exe.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):42
                                                                                                                                                                                                  Entropy (8bit):4.0050635535766075
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\LICENSE.electron.txt

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1096
                                                                                                                                                                                                  Entropy (8bit):5.13006727705212
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                                  MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                                  SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                                  SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                                  SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\LICENSES.chromium.html

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):9174266
                                                                                                                                                                                                  Entropy (8bit):4.780443521000387
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k
                                                                                                                                                                                                  MD5:BD0CED1BC275F592B03BAFAC4B301A93
                                                                                                                                                                                                  SHA1:68776B7D9139588C71FBC51FE15243C9835ACB67
                                                                                                                                                                                                  SHA-256:AD35E72893910D6F6ED20F4916457417AF05B94AB5204C435C35F66A058D156B
                                                                                                                                                                                                  SHA-512:5052AE32DAE0705CC29EA170BCC5210B48E4AF91D4ECEC380CB4A57CE1C56BC1D834FC2D96E2A0F5F640FCAC8CAFE4A4FDD0542F26CA430D76AA8B9212BA77AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\Wildix Collaboration.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):176619800
                                                                                                                                                                                                  Entropy (8bit):6.749624619122867
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1572864:SgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2H1:Gg/geeFXzGa9FzV
                                                                                                                                                                                                  MD5:5DAD490CE110FCDF62D3F38296A3FC44
                                                                                                                                                                                                  SHA1:D6ACC8D53CED56D53FE3EFAAF1E35D508D00AD56
                                                                                                                                                                                                  SHA-256:E1AD240972ABB42861807E99AB09DB018367EA04462D201D48D55E5E353FB6B9
                                                                                                                                                                                                  SHA-512:A3F81654B654006588BDB41664F5440B4FE97BE8DE01E4FF64D7DD4716531C411A477085C43D0BB5F38BD7CDEAB43C2865F345F53172CE781A085F066A165E4C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4...N.................@.....................................M....`.........................................G....j..4...T....0..p....pe...F......S.....................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...p....0.......Rq.............@..@.reloc...............w.............@..B........................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\chrome_100_percent.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):154426
                                                                                                                                                                                                  Entropy (8bit):7.915623092881329
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:AzwJCGIekwENgMBsFAXg6VKdL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:Azw1IekmMBdQXK18Gb0OV8ld0GecQ3Ey
                                                                                                                                                                                                  MD5:B1BCCF31FA5710207026D373EDD96161
                                                                                                                                                                                                  SHA1:AE7BB0C083AEA838DF1D78D61B54FB76C9A1182E
                                                                                                                                                                                                  SHA-256:49AFF5690CB9B0F54F831351AA0F64416BA180A0C4891A859FA7294E81E9C8E3
                                                                                                                                                                                                  SHA-512:134A13AD86F8BD20A1D2350236269FD39C306389A600556A82025D5E0D5ADAAB0709D59E9B7EE96E8E2D25B6DF49FEFEA27CDCCEFE5FBA9687ABF92A9A941D91
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..........?.........C.......................m.......................^.....X.................q".....$....1/.....9.....<.....A....^D.....F.....H....FK....6M....fO.....S.....V..(..Z..)..[..+..\..-..^....._..5.k`..6..f..8..l..9..n..:..q..;..u..<..x..=..{..>.A...?.....@.h...A.....B.....C.....D.....F....e.....j.[...k.Y...l.....m.....n.....o....p.&...q.U...r....................................................R.........B........................@....."....,.../...1....:....<....@...>E...NP....Q...3Z....a....mf.....k.....r....it.....x.....|....a......................]................c.................................................................^...........b...........t...........=.....k... .....".^...#.....(.^...*.3...+.....,.....D.....E.....F.~...G.....H.....I.Y...J.-...K.....L.....M.....N.1...O.....P.....Q.....R.....S.....T..!..U..'..W.\-..X.8...Y.....Z../..[..0..\.J1..]..1..^.53.._.+4..`. 5..c..9..D..=..E.>>..F..>..G..>..H..?..I..@..J..A..K..A..L..B..M.qB..N..B

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\chrome_200_percent.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):235060
                                                                                                                                                                                                  Entropy (8bit):7.947114238566176
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:gDQYaSN6svydrI8jDQUgx5GMRejnbdZnVE6YoppO4:NfSN6svydZ6edhVELoXO4
                                                                                                                                                                                                  MD5:E02160C24B8077B36FF06DC05A9DF057
                                                                                                                                                                                                  SHA1:FC722E071CE9CAF52AD9A463C90FC2319AA6C790
                                                                                                                                                                                                  SHA-256:4D5B51F720F7D3146E131C54A6F75E4E826C61B2FF15C8955F6D6DD15BEDF106
                                                                                                                                                                                                  SHA-512:1BF873B89B571974537B685CDB739F8ED148F710F6F24F0F362F8B6BB605996FCFEC1501411F2CB2DF374D5FDAF6E2DAAADA8CEA68051E3C10A67030EA25929E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..........?.........J..........................................%.....*.....-....\5.....9.....A.....E....IZ.....o....(t.....~.........s...........e...........L.....p.....y...(.3...).....+.....-..........5.....6.1...8.....9.=...:.....;.....<.t...=.$...>.....?.....@.....A.....B.....C.(...D..%..F..)..e.?1..j..6..k./9..l..<..m..J..n.WN..o.|Z..p..f..q..k..r..l.....m.....q.....t.....w.....z....'~....D........................J..............#.............a....&...................V............c........".....'....n-....P4.....6.....:.....>....6H....bK.....S.....W....ba.....k.....o.....q....cz......................................5...........p.....G..................................%....."... .@...".Y...#.....(.K...*.|...+.r...,.R...D.5...E.c...F.}...G.....H.\...I.....J.b...K.....L.f...M.....N.w...O.9 ..P.'%..Q..-..R..4..S..;..T..A..U..F..W..L..X..M..Y..N..Z..P..[.)Q..\.JR..].>S..^..U.._..V..`.pX..c.4e..D..u..E..u..F..u..G.Kv..H..v..I.,x..J..y..K.[y..L..y..M..z..N.mz

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\d3dcompiler_47.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4916712
                                                                                                                                                                                                  Entropy (8bit):6.398049523846958
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                                                                                                                                  MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                                                                                                                                  SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                                                                                                                                  SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                                                                                                                                  SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\ffmpeg.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2866176
                                                                                                                                                                                                  Entropy (8bit):6.71639664914218
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:G9T1onpO0KVy2xq6To8i4BZy7+niuoen6yfzv9x0WFJDI:upKNMo8rBYinp/FFJM
                                                                                                                                                                                                  MD5:8F3D89744AE11B0925FAF4B64890D0D7
                                                                                                                                                                                                  SHA1:6A8F744BE1F76E9AD28287D969D8D24F5F1E7623
                                                                                                                                                                                                  SHA-256:11DAF2BF89A3AC660533B3E487E0624668B35F45D2BD94E9B0324BCE8758DE60
                                                                                                                                                                                                  SHA-512:250C06E70276C08D3D8A63744AF6C570B6288E1D8FED8DEED915C79BF0A80C3CD0A7E64C55A16FCBC50CCBCBC9910B26F87983CEEEA8ED28A75C1B8EC22DB53F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......".........0.........................................u...........`A..........................................).......).(.............t.4.............u.,4..<.)..................... .).(...P.".@...........(.).P............................text...U."......."................. ..`.rdata.......".......".............@..@.data.....I...*.."...~*.............@....pdata..4.....t.......*.............@..@.gxfg....,...@u......R+.............@..@.retplne.....pu.......+..................tls..........u.......+.............@..._RDATA..\.....u.......+.............@..@.reloc..,4....u..6....+.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\icudtl.dat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10717680
                                                                                                                                                                                                  Entropy (8bit):6.282426578921538
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                                                                                                                                  MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                                                                                                                                  SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                                                                                                                                  SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                                                                                                                                  SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libEGL.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):479232
                                                                                                                                                                                                  Entropy (8bit):6.363205504415342
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:0Jk+JyNnPUXhbZ/+a1KYsjNDsrJg3qkrzxwbP6wvEMrwrD7Qy/x6TYtaoB+YEB0+:qbTcZ6+lOP9rmD7QMYYtaFy951wj5ze
                                                                                                                                                                                                  MD5:F1FE23058E7EECE1DE389A0C882BC1AD
                                                                                                                                                                                                  SHA1:E83B15D2BBCB6FB2867651A2A9797ED3B6827947
                                                                                                                                                                                                  SHA-256:A4336A318E8D92A47843D5FE429DC6D1FF7271D8BAC189D719BC8074A128FD6E
                                                                                                                                                                                                  SHA-512:D7D51FCB05542FA81E871DD9F1DD960C363107D1C25311DCBF81E440D1275054C121A788DEF8DBAE47C129E95FD990042E2D39E6EF2BDFB253A114146EB33973
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ....."...(............................................................`A.........................................4..h....B..(.......x.... ..pA..............H...,,.......................+..(...@A..@............E...............................text.... .......".................. ..`.rdata..,....@.......&..............@..@.data....K....... ..................@....pdata..pA... ...B..................@..@.gxfg... &...p...(..................@..@.retplne.............6...................tls....!............8..............@..._RDATA..\............:..............@..@.rsrc...x............<..............@..@.reloc..H............B..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\libGLESv2.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7692800
                                                                                                                                                                                                  Entropy (8bit):6.501902638931627
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:9x8EI0RtffaYFH3lV5D3u31okx/6bXm3q:LhXfTFHmoKgCq
                                                                                                                                                                                                  MD5:76141455CD2705897D38E9785117E405
                                                                                                                                                                                                  SHA1:EE091646B6273BF006CFCD84FD54384B0A9D0E0F
                                                                                                                                                                                                  SHA-256:7B0BAA9E2E731716EFE3E0BEBF6A0BCD2D64F35D9F62B20D23ACB4E098C9BE36
                                                                                                                                                                                                  SHA-512:551B79AAFFDC469448477AA72554458235F118559EECC567C232599A4193B2639C14EAFACAD533485089AF58701AEABEE690B43F36E41342F928D4973EFC02E1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......Y..t........J......................................`v...........`A........................................}.l.......m.d....pu.......r..U............u.,....al.....................p`l.(.....Z.@.............m.......l.@....................text.....Y.......Y................. ..`.rdata..|.....Z.......Y.............@..@.data...\.....n......nn.............@....pdata...U....r..V....q.............@..@.gxfg....,....u......Tt.............@..@.retplne.....@u.......t..................tls....B....Pu.......t.............@..._RDATA..\....`u.......t.............@..@.rsrc........pu.......t.............@..@.reloc..,.....u.......t.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\af.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):489715
                                                                                                                                                                                                  Entropy (8bit):5.4071564375394185
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:3an0y+3zo5ExirXKhaG1B2+H2JynyaI4IVzZo0vgElgA2W0PSq+2ss30fzO75g6D:3a0y+3zouxkXyd1B2+H2JynyaI4IVzZW
                                                                                                                                                                                                  MD5:2602CD68EBE25F12F5D9892D5FA92B11
                                                                                                                                                                                                  SHA1:478766DCC8CE4427872BEBD81AD929F7AEF250A3
                                                                                                                                                                                                  SHA-256:E36A906908A92DAD39AD8E5B344B38C538574E35C5386AC2B901640B202D3228
                                                                                                                                                                                                  SHA-512:6BBECBEAA6E09857A5698A280475496498A88488249025B2F58CA7A8493A77BC13FCD783041A6198F58696F4E2A84C3DBEE0891E89800DAC6F3FB317F70C5492
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........T%..e.R...h.Z...i.b...j.n...k.}...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......%.....*.....2.....:.....B.....I.....P.....W.....X.....Y.....^.....k.....z.................!.......................U.......................g.................%................. .....9.............................j.......................^.......................m.......................y.......................u.........................................2.................c.....z.................,.....=.............................J.............................e.......................Y.......................5.....].....f.................%...................................z...........(.....?.............................z.......................X.......................P.......................s.......................F.......................F.......................l...........8.....L...........%.....d.................J.....~.................!.....E.....S.................,.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\am.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):794986
                                                                                                                                                                                                  Entropy (8bit):4.8798900601209185
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:/x1ATZg8/xp1GCj+VRRz085d9tcV03OzPkS:Z1J5Q
                                                                                                                                                                                                  MD5:AC7A72616A544CDB022EDA20B0DC8872
                                                                                                                                                                                                  SHA1:50B7F8363894A7E33042412804EFA2BDA510ABA2
                                                                                                                                                                                                  SHA-256:1847F8517D8F26C856ADBF08DF3996D5F3B7AB61378199C138346BFE29675F01
                                                                                                                                                                                                  SHA-512:D5B3B851A0D6615ECCC1223CFBA6B285AC8387E0C0F9DF1FB5BD95C9A208813B31F56546FC9C624E7F3A12B35AB7E8ACD13EA85025B5F9CF74DEF60AD679A546
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........h%..e.z...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.!...z.0...|.6...}.H.....P.....U.....].....e.....m.....t.....{.................................................................N.....n...../...........^...........a.....#.......................=.................N.................)...........".....l........... .................!.......................K...........d.............................p...........;...........,.....K.....&...........m.................q.................4.......................`.............................p.......................).................,.................!...........9.................&.................. ..... ....b!.....!....."....."....."..../#....V#.....#....N$.....$.....$....C%.....%.....%.....&.....&....O'.....'.....'....~(.....(.....)....<).....)....`*.....*.....*.....+.....+....b,.....,....U-......................./....30.....0.....0.....1....L2.....2.....2....:3.....3.....3.....3.....4....*5.....5

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ar.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):871955
                                                                                                                                                                                                  Entropy (8bit):4.902875426840413
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:4P9FlB5/G/d/RXCwR14fvPUKzUUk/K5MN0j+OzIh4pG:4LhQza5R+9
                                                                                                                                                                                                  MD5:4D0A0771176823BF004F9182B94BDE82
                                                                                                                                                                                                  SHA1:7E0601D8DCA0404736787D85918D1A680A7E68EC
                                                                                                                                                                                                  SHA-256:04E83274DEC0274DCCBD97DABCEFE3174EA1DA5B62B5D24E047E2036B93F3482
                                                                                                                                                                                                  SHA-512:6DD144273252026BCF08BE52189EA5A15410A42A616C9FAC14EDB4BE7D98023B65FA1746ED50B654E57F140790E8A92B1080F2F035ADB81B7D10AA473F2DCA61
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%8.e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................K.............................;....._...................................m.......................b.................w...........Q.....h...........[.................D...........(.....m.....(...........:.....`.....?.......................S...........G.....u.................Q.....l.....s.....`...........?...........M.....w...........>...................................G.....g.................A....._...........^.................T...........>.....b...........g.................C ..... .....!....$!.....!....["....."....."....]#.....#.....$....5$.....$....0%....e%.....&.....&.....'....$'.....'....G(.....(.....(....L).....).....).....).....*.....+....T+....z+.....,....q,.....,.....,.....-..........t/...../....S0.....0....11....h1.....1....v2.....2.....2....33.....3.....3.....3.....4....75.....5.....5....K6

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\bg.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):906398
                                                                                                                                                                                                  Entropy (8bit):4.655210398798349
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:E+CDcquMMLYzzQkECPUwVbtcHU373ZA+3aAKHkVDYyKzumpod2nm5c0XuGox3QN3:hCDcquMMLYUKUwVbtcHU373Z93arkVDn
                                                                                                                                                                                                  MD5:D0B47C1CF62B29B866CA630958A019FB
                                                                                                                                                                                                  SHA1:BAE6E1AF9D7225584510443AED21A40FCEA349E3
                                                                                                                                                                                                  SHA-256:24C09721C3CB4F3FE7EB403113375257197BED808295C6B85532409B6664DB45
                                                                                                                                                                                                  SHA-512:39472B1F6859C10CC782A303761D63A2409807D7D342C3BC558075284CF455A26C3E1B9B4CE67A5FBD84E6C4B621ADCFD8FD8A819CFC25554962454E5F4B5816
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........W%..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.........................................a...........i...................................l.................]...........$...........O.................T...........,.....R.....>...........^.................p...........<.....&...........r...........p.............................[.................*...................................R.....y..... .................+...........P.................w...... ....g ..... ....6!.....!....."....)"....."....<#.....#.....#....5$.....$.....$.....%.....%....J&.....&.....&.....'.....(....K)....})....'*.....*.....*....%+.....+....-,....o,.....,.....-....E................../.....0.....0....l1.....2.....2.....2.....3.....3....x4.....4.....5.....5.....6.....7....>7.....8.....9.....9.....9.....:.....;.....<....O<.....=.....=.....>....E>.....>....p?.....?.....?.....@.....A....6B

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\bn.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1170199
                                                                                                                                                                                                  Entropy (8bit):4.270267200548805
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:iOXg1lMf3u3jGVxXD7unXU7AI2HSzhb0Ylf14/QISydDbsh8VBbFKQg5hNDl2Ob:Hw3MvpXD7unLxSydHsh8VBbG5Hld
                                                                                                                                                                                                  MD5:83A0030387AFBE1CD2D6790079FC5024
                                                                                                                                                                                                  SHA1:9D4253D253167AEE6F3BA9CF6F8F376266832D00
                                                                                                                                                                                                  SHA-256:BF2FA4C57095E0BE63E8CD1AE6D2389D6417A91D8C9E1970EEEE5363C46F0D27
                                                                                                                                                                                                  SHA-512:20C92C5C3634A9663D933AA98D9356E18BEB8927F2975778967A65CC25522560784EABECFE99037008689CF3B77093C35D3F109F32AE2DB2160E9798415A3771
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........Q%..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.!.....)...........6.....>.....C.....K.....R.....Y.....`.....a.....b.....g.............................C.....M...........E.....:...........................................................H...........D...........q...........^...........c.............................w.....].....4.............................]...........Y...........k.............................O.....s.....k...........e.......................?...........w ..... ..... ....v!....."....;"....^"....>#.....#....W$.....$....S%.....%....O&....{&....3'.....'....'(....M(.....(.....).....).....*.....*....V+.....+.....+.....,................./.....0.....0....d1.....1....A2.....2.....3....<3.....4.....4....75....c5....K6....$7.....7....38.....8....~9.....9.....9.....:.....;.....;....%<....(=.....=....~>.....>.....?....=A....0B....cB.....C.....D....AE.....E.....F....EG.....G.....G.....H.....I.....I....&J....,K.....L

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ca.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):551632
                                                                                                                                                                                                  Entropy (8bit):5.40551102269728
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:WM4Hy2Q57BREeApk73K5PqF4N3Mw2juwHzejm0t3lvqbETX9/RSHhIsjcmlLEYuT:+itVzaBRn1WDMN8UpOO5J/ras
                                                                                                                                                                                                  MD5:D5D6200B582B9B12A0BD8C773DEA0474
                                                                                                                                                                                                  SHA1:341650B76AF1C74129A97725673B646B7256D4D6
                                                                                                                                                                                                  SHA-256:F4DA114B473C34E0946B12289F6E802FCEDE2F66013D4F184C729A1F8AE7350E
                                                                                                                                                                                                  SHA-512:1465E7214C4AE818B545778B831B7773F0373726F705160BA4DF33CE3C206A2166C8B6519336FD2B1E405EF6811D2CFDC2A655F1B767BF9B4E083C6A33B34AE4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........U%..e.T...h.\...i.d...j.p...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......'.....,.....4.....<.....D.....K.....R.....Y.....Z.....[.....].....w.......................s...........o.................c.................X...........<.....[.................V.....s...........".....U.....h.................L.....]...........G.................<...................................,.....@.................1.....E...........#.....h.............................).......................&.....v.......................T.......................T.......................c.......................P.......................).....t.......................d.................,.......................a.......................\.................$.....s.................B.................(.............................e.......................o................. ...........E.................R.................( ..... ..... ....*!....J!.....!.....!....."....."....."....."....6#....R#

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\cs.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):568567
                                                                                                                                                                                                  Entropy (8bit):5.839431034543846
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:0/AkCOZjqspN1oAUGCDAfiebO5zU8rEsiNOPY3SBFmPy38Qu:0dJZuSPoAUTbe65zU8rEsiNOA3SzmPH
                                                                                                                                                                                                  MD5:0E52AC897F093B6B48B5063C816F6CA1
                                                                                                                                                                                                  SHA1:4F4FEBB42FD7CDD0BC7DF97C37DB0E4AA16518E4
                                                                                                                                                                                                  SHA-256:5635587F6FFB152C027B4357092FE78168E31CBC7F6BE694C627F819C1AD1D73
                                                                                                                                                                                                  SHA-512:9CF5594AC47AE967BD4221F61B92C97343EA0C911FBE992D35A9391E3E1E6560B1B41BD031074CD262A622CA88AF3B25BA33575B456A4D5B8A7B897233C0A54D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........?%'.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....1.....A.....S.....e.....z.......................'................. ...../...........2.........................................=.......................9.......................<...................................S.....u...........\.........................................9...................................G.....a.................0.....G.......................*.....y.......................h.......................|.................&.....w.......................l...................................&.....:.........../.....s.................".....=.....Q.......................2.................%.....;.................\.................9.....T.....h...........K.....{.................j.................6...................................`.................d ..... ..... ..... ....Y!....~!.....!....."....l"....."

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\da.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):513715
                                                                                                                                                                                                  Entropy (8bit):5.450169156228439
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:gRsuNwWzVPsP5sbse814e8jKwlRDdJwL2obEZZaFRQ5Mk2rkvb3d4nTGqFwJ:g6qskjdTv5M/rvTpu
                                                                                                                                                                                                  MD5:D5BF4ABA2D82744981EBF92CCAADF9C0
                                                                                                                                                                                                  SHA1:1A1C4EA1D4ECF5346EE2434B8EB79D0BF7B41D46
                                                                                                                                                                                                  SHA-256:0C75ACB008DD5C918D8A1A73C22FA7C503961481BF1708F6BDA0DA58693C3C08
                                                                                                                                                                                                  SHA-512:5BCCC18687FCEFAD5E78C5C8072ACEA36CE7687C5B848A1E0367C82A38F32F46402FF01EDD4FB1379EE77083EF0E1964E24BAD87B18CE78077B28F0C1BD4BD08
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........Y%..e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....|.......................*......................._.................&...........2.......................k.......................^.......................F.....p.....~...........G.....v.................|.................E.......................l.................%.................~...........+.................).............................f.......................?.......................*.......................0.......................).............................h.......................Q.....~...................................B.......................&.....z.......................W.....t.................l.................<.......................<.......................T.......................P.............................'.....].................X.......................2 ....N ....[ ..... .....!....T!

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\de.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):549246
                                                                                                                                                                                                  Entropy (8bit):5.505323401507658
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:VJdzQHdf003K7UpKD93gFahmOW2xdVfwAXaOV5jbt5ZRYJoUjM5QIvCWa:VbIC03K7UpggFa0DtE3t5xUqvvCWa
                                                                                                                                                                                                  MD5:0BC4A1CF47A5AD423969F22AF3030231
                                                                                                                                                                                                  SHA1:3F6F19725068509EFD426600A6B512158267EB58
                                                                                                                                                                                                  SHA-256:E33EA8240835CC775A9E88942AA2905D17CEF84929602FD2C4F26F33F9BDC52A
                                                                                                                                                                                                  SHA-512:D9AB8855472077FBD7277A73FCB2BFA8CBB592F39E62957ACD91BFAC2E51DC24BA23D6C6DACB8DCD4EDFFFF5A59B2BB4D9761F70327AFA0A668BD55E95B00864
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$y.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.+...y.1...z.@...|.F...}.X.....`.....e.....m.....u.....}.......................................................................^.................K................. .................d.....~...........t.................5.......................`.............................$.....[.....}.............................n...........,.....=...........?.....}...........&.................&...........e.................J.......................[.......................n.............................$.....g.....~...........l.................#.......................L.......................{.........../.....A...........p.................G.......................A.......................?.......................z...........2.....f...........3.....Q.....h...........M.....y............ ..... ..... ..... ....Z!.....!....2"....<"....."....Y#.....#.....#....5$.....$.....$.....$....Q%.....%.....%.....%....z&.....&....0'

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\el.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):994931
                                                                                                                                                                                                  Entropy (8bit):4.737922927263801
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:2YcaPdGgxh1hxFJiL9+0JXDsSaSmqHuuD2Np6P4j/MAVH8yeVd85tRDQr3egif27:2YcaPdGgxh1hxFJiL9+0JXDsSaSmqHbp
                                                                                                                                                                                                  MD5:71ABCFDF468DC5813610DD32234BE946
                                                                                                                                                                                                  SHA1:AA4C14E702B06E391834E4CFC58929B873BC3D1A
                                                                                                                                                                                                  SHA-256:F1E01EEB90C0842F7AF927F65D034FC93FDBCBCB9B9EA7E31C79761C316C8FB8
                                                                                                                                                                                                  SHA-512:615B591E4BD744848E6E15B729E543FAA9AB06DB11F042FFF12FFEE6FD3E7802C9DA37D8784004E6727FC39CDE17BECB60C1158DEC401E20A088056451693BB8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........X%..e.Z...h.b...i.j...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....a....................... .....G.....%.............................h.................z.....&.....X.....{...................................s...........9.................8.................&....._.....g.....a...........0.................A.....\.....C...........q.................H.................2.....*.......................y.......................N.................\...... ....J ..... ....a!....;".....".....".....#....g$.....$.....$.....%.....&.....&....&'.....'.....(.....(.....).....).....*.....*.....+.....,....%-.....-.....-.........../...../....$0.....0....M1.....1.....1...._2.....2....M3....z3....g4....'5.....5.....5.....6....J7.....7.....7....x8....:9.....9.....9.....:....e;.....;.....<....H=....c>.....?....R?....S@....:A.....A.....A.....C.....D.....D.....D....mE....7F.....F.....F.....G.....H....HI

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\en-GB.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):447042
                                                                                                                                                                                                  Entropy (8bit):5.522859001768912
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:hR4GWUMzWjLCI7MP9ej7HXfaYISMv5n51SKBcWRnpM:UEh7Ma7H6N51SOM
                                                                                                                                                                                                  MD5:413E4484B8AA83BF7D928AF143340DD9
                                                                                                                                                                                                  SHA1:92B8DC474FD507F28C51B34014FE9F867AF25531
                                                                                                                                                                                                  SHA-256:AD460425C88BE889D6D6A9B69D0B6F64E2E957BF8AC4F230DE4D25340C75BA87
                                                                                                                                                                                                  SHA-512:E8AB41CA706D8A49B4A411FB9F50BF1C04627DAB452A7AEC01A5C61E4951FDE42FC05163CBD193F034BFEE378849353DB9AD4B8A2DB3F992DF105DF17BB146E0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%..e. ...h.(...i.6...j.B...k.Q...l.\...n.d...o.i...p.v...q.|...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................$.....+.....,.....-.....2.....?.....N.....^.....o...........B.......................@.....q.................A.....}.................8.....g.....|.................7.....E.............................W.......................:.......................0.....}.......................S.....~.................".....N.....Y...........".....d.....x.............................V.............................9.....Z.....f.................@.....S.......................#.....l.......................-.....q.......................2.....[.....f.................\.....q.................!.....7.............................?.............................U.......................,.....G.....V.......................>.......................3.................N.....\.................S.....p.................>.....M.............................c.............

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\en-US.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):451080
                                                                                                                                                                                                  Entropy (8bit):5.512024572152552
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:UVmES/piH64PrXGM0w3jMMP9eD3D9faYLbcNx54SbngP/eoQwB:Umz14XRlMMY3DzA54S+QwB
                                                                                                                                                                                                  MD5:8F164155D22029535CD60F47966A89AF
                                                                                                                                                                                                  SHA1:19733935EFE68F7FF3E2A84D28317E0391EB824B
                                                                                                                                                                                                  SHA-256:20BE1732675FEDF380010B09936ED65C71BB761D0A05732215EF0795B5ABA606
                                                                                                                                                                                                  SHA-512:4582715817BB9C99D875AA89B1EFBD0F70B63DCD37DBFC64E3078D1D4D7AD4AE8FAC5A703AFE1FC65B9AF2F5C0FE8D3E293E2F0530106A6974B38B4CEBCA9DB0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.!...w.....y.4...z.C...|.I...}.[.....c.....h.....p.....x.......................................................................I.......................^.......................S.......................V.......................1.....v.......................9.....`.....m.................$.....;.................#.....;.............................k.......................9.......................#.............................M.....h.....w.............................[.............................m.......................I.....v.......................9.....D.............................L.......................&.......................!.....`.............................?.....T.............................s.......................Z.............................Z.......................9.....q.................Z.......................m.......................c.......................#.....E.....U...................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\es-419.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):543303
                                                                                                                                                                                                  Entropy (8bit):5.374575506060356
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:BJoGuBgJYXqY+clpuYsKBoj5z6gLFdUu2bR:BJqGiqQpPU5z62F/oR
                                                                                                                                                                                                  MD5:6E7EEE3C0D7935B4B72FB529227413D8
                                                                                                                                                                                                  SHA1:64643BA51EDCA0C0387073716D68380DF5E2DC7C
                                                                                                                                                                                                  SHA-256:06D13FFC791BB7189F5AFBB166B1DC2BCF9309F04B68E4F16BAACD4B3F625021
                                                                                                                                                                                                  SHA-512:F55A55D9F23463A51F48BD16DEBCC6FCA28EEC4CEFBB3006083E741795EDD9A9EFB8D1126210F4A35558BC698C8A76A43E9E56093A90145137A7854B4A2E44F8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........]%..e.d...h.l...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.............................N...........B.....]...........5.....z...........&.................!.................P.....k.................8.....K.................0.....A...........;.................:...................................:.....M...........".....`.....w...........c.................^...........6.....].................#.....>.......................&.......................4.................V.....i...........-.....k.....w...........#.....T....._.................8.....B.................P.....`...........S.................%.....z................./.....|.................m.................>.................6.......................%.......................4.................M.....g...........|.................. ..... ....F!....t!.....!....Z".....".....".....#....K#....n#.....#.....$....r$.....$.....$

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\es.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):543232
                                                                                                                                                                                                  Entropy (8bit):5.350780003321714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:DD8qint0wME1/o/7Ng0Hkp3+UNoqFtnjO5Jmr40nIw6PZgHu:D4vthMsy7EpPoqTnjO5IrbnjO
                                                                                                                                                                                                  MD5:1EFB37FAA54DA5A7D9FE694FEE7D5E4E
                                                                                                                                                                                                  SHA1:497F6E0FB9DC099DFD8E107570FEBE9D0A6EBC2D
                                                                                                                                                                                                  SHA-256:77AA01763C114B75A83DE3C34C60497B1CA23C98523F58A43C76AAE7380AB3B6
                                                                                                                                                                                                  SHA-512:FACC41943159DAD7541F5D50B8216F6CCF02703A983DD81120F387DDEA70D502F5D66C275F80267C7A3B1EB9F1C751A4EC3B307D03F872BE4237366637BB829A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........b%..e.n...h.v...i.~...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.!...|.'...}.9.....A.....F.....N.....V.....^.....e.....l.....s.....t.....u.....w.............................]...........U.....p...........R.................>.................H...........+.....g.................=.....l.....|...........>.....f.....w...........q.................e.................<.................W.....h...........8.....t.................}.................u...........9.....^.................F.....\.................0.....?.................8.....N.................M.....`.................I.....U.................3.....>....................... .........................................R.....l...........".....N.....k.................C.....b...........I.....n.................v.................[.......................O.......................e................. ...........4.................7 ..... .....!....+!.....!....."....O"....c".....".....#.....#....A#.....#.....$....R$

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\et.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):493540
                                                                                                                                                                                                  Entropy (8bit):5.454116761923621
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:+pQdZQe2AH5hJ1HNR5yyX+DuH/Fb0WmFosS4Eqsoh7Pwiw5dQH57jnMlvCKMvaKL:+yZ92ejyyIuJmFoszwQH57jUW
                                                                                                                                                                                                  MD5:78A8A4956B1CD09124B448985A839F28
                                                                                                                                                                                                  SHA1:A25BCAB44ED12DD0DD643AA6782903B22B84816B
                                                                                                                                                                                                  SHA-256:AC1431E61F8C6C56EF96860DC8A8DDF840DBF6965AF6B920D811B7E39ADAB6B1
                                                                                                                                                                                                  SHA-512:843BAFCE3E528BA98A3FF537B01D7896F83C22C0AD2E43BBCE83381FAA943D74D7B11B419DAAC0B0F57DE30D5792E3262DEFE9C68F5F4C7CA84B173395D14798
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........n%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v. ...w.-...y.3...z.B...|.H...}.Z.....b.....g.....o.....w.......................................................................c...........Z.....u...........D.....t.................i...............................................}.......................l.......................k.........................................G.......................K.......................[...................................K.....b...........'.....I.....d.................0.....<.......................+.................3.....>.................?.....M.................7.....?.................2.....A.................4.....<...........$....._.....w...........%.....D.....Z.................<....._.................D.....Q.................M.....y.................6.....G.................3.....K.................O.....j...........e.................S.................>.................P.....].................. ....- ..... ..... ....)!

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\fa.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):808052
                                                                                                                                                                                                  Entropy (8bit):5.022679220176124
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:Jap2Eq8u313uyqoT+s7q+NRmX1loT4RmdAQifaQ2XxFMJGk620driUHMX9O9xdpW:sUjJ5SV
                                                                                                                                                                                                  MD5:6C6C939CBCE5A9AE6B6A89B9DC1B14CD
                                                                                                                                                                                                  SHA1:8674B02FB2A11BA6664427C78401D261DCEC859C
                                                                                                                                                                                                  SHA-256:D77AADACDB5B72345C68590ECE6463EFCDD4E8817FE3DEDAD98D64F132B8E48F
                                                                                                                                                                                                  SHA-512:3CF8ECCAC20108550C2A7758531AE992D72AA23396ABDFD38E613ED26FC755FA33385B4538DCE9E19309B622973CA6D4C0FEEEDC7064DF9BB12419DFC630D545
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%W.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.!...r.-...s.>...t.G...v.\...w.i...y.o...z.~...|.....}...............................................................................7.....^.....C.......................h.......................i.....).......................R.................k...........].....p...................................I.................r...........g...........%.................-...........l.......................O.......................|.......................#.....W.....{.............................Y.........../.....F...........~.................s...........S.....j...........v.................N.................@...........f.................f .....!....r!.....!.....".....".....".....".....#....4$....y$.....$....I%.....%....6&....V&.....'.....'.....'....A(.....(....7)....\)....w)....1*.....*....-+....O+.....+.....,.....,.....,.....-.........../...../....p0.....1....r1.....1....a2.....3....W3....z3.....3....|4.....4.....4....t5.....6....`6.....6

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\fi.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):504052
                                                                                                                                                                                                  Entropy (8bit):5.421469618205756
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:/aVXt4D7SmA19ub5KuOar5yZ7kfCHEpyWaM7OYM:/64D7Smll5yFHZl
                                                                                                                                                                                                  MD5:83DEC7D70140F96E780BCA0E97EB3DFA
                                                                                                                                                                                                  SHA1:E0C9891241D88716419F476BB193ADA5D8606EB1
                                                                                                                                                                                                  SHA-256:AE902AB57A1325D4F0A0A1C69790F28F5E49B5671A99C4C315367B4425D1DE97
                                                                                                                                                                                                  SHA-512:7B1851C2476290DBDE7DCBEFBE75F89041EC185DC4354DB55FFE2DA588E17363403921EEAF9FD26EBA8EB4DE3BF99876339DE1DD4219EC6F5E2EA3679B90BE71
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%f.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t./...v.D...w.Q...y.W...z.f...|.l...}.~...........................................................................................................h.....{...........A.....t.................d.........................................'.....}.......................N.....n.....~...........*.....P.....j...........M.......................[.......................].......................^.................&.......................O.......................).....u.......................I.....r.....~...........!.....K.....U.................4.....A.............................n.......................R.......................G.......................d.......................1.......................'.......................%......................./.....o.......................L.....v.................D.....}...................................k.......................{.......................V.............................u.......

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\fil.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):569703
                                                                                                                                                                                                  Entropy (8bit):5.1919702904490395
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:aZdptKHeHQogDYIQy7DQEuH2V8L0dnGNLmG5IXmr1YARQqK:odM5kxEG5mmg
                                                                                                                                                                                                  MD5:E499AF17FCE1F7F276B3BFB0E1B2F5B2
                                                                                                                                                                                                  SHA1:E2BF18ACF2A9E357AA7A694B5C60F947FD8BB0C2
                                                                                                                                                                                                  SHA-256:A30015021FB928BCF16F9409FB45FB89CA3D196BAFB3597DF3FE4A9E477A3FD9
                                                                                                                                                                                                  SHA-512:A1F03B7A6EC3F4601052D4E1F2CA6C092D9E5FE41CE7DF89F7E7FBE1A1892DF73A9CB85058F3C24E1236ED013E2BDD017F7BEC3D6B6FF13CA61BF0849C73F472
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%..e.L...h.T...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....s.......................W...........F.....d...........[.................]...........J.....q...........f.................$.......................1.......................t...........%.....T...........j.................Y.................-.................T.....n...........i.................b...........N.....p.........../.....Z.....w...........%.....M.....Z.................8.....G...........$....._.....u...........A.....w.................I.....{.................J.....{.................L.....~...................................^.......................X.......................H.......................q...........*.....a...........(.....R.....l...........J.....}...........& ..... ..... ..... .....!....1"....."....."....@#.....#.....$....@$.....$.... %....V%....n%.....%....&&....N&....d&.....&....Z'.....'

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\fr.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):587932
                                                                                                                                                                                                  Entropy (8bit):5.385302506831163
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:3OjnZLqxMDpDgEL6QuaMVWXKz05FlZQmZyMYnYtzLl9ujzx4e5hxkJSW7v40wCJY:3Okm2VqN5Q7
                                                                                                                                                                                                  MD5:606E583292DBEAE8A3742A700D09E1C2
                                                                                                                                                                                                  SHA1:BF49B446173BA81EC3F926D69B87A81C5E233C4E
                                                                                                                                                                                                  SHA-256:C22E274FBC4A033CB8A9A4E9A96F82487DC671EC0AD49B3257939D2A8A751442
                                                                                                                                                                                                  SHA-512:47277EDBFB2DCE8724900C0A7B0231E34DEEE19B268F46C08D56ADECAD38D629D79466C26B701B6F43607F7DCDE55B1BBF6C3D73BDBD7E22096A0D14AD901621
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........F% .e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....X.....f.....x...........,...........L.....n...........U.................=...........".....>.................m.................J.....v.................Z.................5...................................>.....b...........@.......................i...............................................#.......................d.......................^.......................d.......................|.................-.......................0.............................{.......................z.................A...........%.....<.................0.....N.......................$.................*.....F...........Q.................-.....|.................-.......................z...........,.....L...........J ..... ..... ....8!.....!.....!.....".....".....#....h#.....#.....#....0$....]$....q$.....$....]%.....%

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\gu.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1148544
                                                                                                                                                                                                  Entropy (8bit):4.309990877698155
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:A4TQMBc+YPbBMDBW6bfrBDNOHIwjAwREJKVMjNiT7llj63rFXlPCpMi5eWWiMJsr:A4THSPbr6bvMa/+c5q4hNkFR
                                                                                                                                                                                                  MD5:DBC465E12C921212C1A3E899E5FD5046
                                                                                                                                                                                                  SHA1:F6F7081E622DF0FC9647DCE0572483899A59E440
                                                                                                                                                                                                  SHA-256:7B06F3B7040901E7DBD2884BA534D43E73013CE0677BC725D53BCCD54759AD5E
                                                                                                                                                                                                  SHA-512:9C3F3E7E7A62A0148789F561C37144F971ECC16C44A4F5A89214CBD7FADE0E1D2CCCD5C106C4718DF84A198262EF139A6530C400F5C0873231009E8B432BD3BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........T%..e.R...h.Z...i.t...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}./.....7.....<.....D.....L.....T.....[.....b.....i.....j.....k.....p.............................V.....S.....$.....`.....S.....................................................U.......................;.................f...........P.....p.....S...........n.......................J...........b.....6...................................+.....(.....#...............................................(.....d...........D...........9.....a...... ..... ..... .....!.....!....."....."...."#.....#.....$.....$.....%.....%....q&.....&.....&.....'....7(.....(.....(....^).....*....i*.....*.....+.....,....P-.....-....?...........F/....o/...../....t0.....0.....0....u1....V2.....2.....3.....4.....4....h5.....5.....6....-7....p7.....7.....8....K9.....9.....9.....:.....;....'<....Z<.....=.....>....|?.....?.....@.....A....0B.....B....pC....<D.....D.....D.....E....gF.....F.....F.....H.....H.....I

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\he.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):708276
                                                                                                                                                                                                  Entropy (8bit):4.622250398985609
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:N7wJFZb6J5hhT3BluYCy31frspm2GWqu/kol4JACVXbfeQCajLn5O67cE+oixB0X:ZUFZQjb5woB
                                                                                                                                                                                                  MD5:0002D6ECC7F06D88DC714DEBF31C925A
                                                                                                                                                                                                  SHA1:4C5DE1E0A8EF47B0D98BB3A9C5C1EE176F0DF3EF
                                                                                                                                                                                                  SHA-256:D71C98ED9EF2AAF13033332DCD40F41785656C156D41614916353DAA3EA5F2A7
                                                                                                                                                                                                  SHA-512:060C668B540813055F7537B64F8A9F4B393E3E1D31A6341C603644725EB8673E3249A07B7F519CCCDB65C4D2ABED2792580DF880CFB8B9B154D9DDADB3ADE027
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........4%2.e.....h.....i.+...j.7...k.F...l.Q...n.Y...o.^...p.k...q.q...r.}...s.....t.....v.....w.....y.....z.....|.....}................................................. .....!.....".....$.....;.....T.....m...........O.......................9............................._.................d...........3.....U...........J.........................................g.................?...........V.................f...........E.....d...........[.................C.................#.........................................(.....U...........?.....q...............................................<.....O...........E.........................................E.........................................A...........h.................Y.........................................4...........+.....{...........9 ..... ..... ....1!.....!.....!....."....3".....".....#....G#....`#.....$....u$.....$.....$.....%....u&.....&.....'.....'....>(.....(.....(....g).....)....4*....[*.....*....G+....w+.....+....P,.....,....=-

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\hi.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1211426
                                                                                                                                                                                                  Entropy (8bit):4.285504136009603
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:EzCplnpUoc9rQtU2BxfwUV/BB0ZV1d+uxlRLiW3Jd1eTByntDPtDl+p1as4u/8W0:Ez/Xlexoev85P5+hgr
                                                                                                                                                                                                  MD5:5FE0B17532CFC8523F97EE17DBA844A7
                                                                                                                                                                                                  SHA1:6233FD3670BCB32C4EFEAEF7BDB41ADEE6EFD825
                                                                                                                                                                                                  SHA-256:352F833B4F936369216EEAA1F8C5E652B34A36CC143FF9A872B0608E4E88957C
                                                                                                                                                                                                  SHA-512:A37DB9DA6D9B5F913930712A57FED8EBE1654787B246445A40F59A91FCC67373367CADAB2DD70A89445514F2D6D806FA3DFD744461E2C15777FFAD30D3D0BF12
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%L.e.....h.....i.....j.....k.....l.....n.%...o.*...p.7...q.=...r.I...s.Z...t.c...v.x...w.....y.....z.....|.....}...............................................................................7.....b...............................................'.....b.........................................F.....u.....H...........V...........>...........9.....\.....C...........F.............................D.................N.....w.....^...................................D.....v.................s.................9.................q....." ....u ..... ....3!.....!....."....&".....".....#...."$....S$.....%.....%....$&....C&.....&.....'.....'.....(.....(....b).....).....).....*....B+.....+.....+.....,.....-....L.....|.....8/...../....00....\0.....0....x1.....1.....1.....2.....3.....3.....3.....4.....5.....6....[6.....7.....7.....7.....8.....9.....9....{:.....:.....;....a<.....=....:=.....>.....?.....@.....@.....A.....B....KC.....C.....D.....E....>F.....F.....G....FH.....H.....H.....I.....J....DK

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\hr.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):548310
                                                                                                                                                                                                  Entropy (8bit):5.5075408976258435
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:21tKv376P+UG5oi2IAD1OaBV08HSrk7D+wfWrDfB+uhAxqOSAq6+xMcwd0uP5qci:21tKvL6KrA5nEBwuBhbkBc5Pg7YIjemK
                                                                                                                                                                                                  MD5:7BA9BF24F9965EF7FF2A9EEA86188EE0
                                                                                                                                                                                                  SHA1:B9953144FB5E519A7A35AE595A29D15BBD34C0F1
                                                                                                                                                                                                  SHA-256:F882072827C75A5C046E29CC4E2468A41CB786199045B58550E978272D338FE8
                                                                                                                                                                                                  SHA-512:768213543C68CAF8CA941B1C7C87E5DDDAAFC4915457A849C83B4FECE528BB7BDA409B99930572DBC6A102FD7DBB29A593073B1D5B894708AB2B2019A938BE2B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........r%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...|.P...}.b.....j.....o.....w.............................................................................w...........e.................R.................#.......................q.................(.......................$.....y.......................x.................,...........).....}.................k.................+.......................M.................'...........@.................%.....v.......................P.....r.......................6.....F.................@.....U.................2.....A.................D.....Y.................,.....<.......................$................._.....z.................<.....Y.......................?.......................,.................Q.................-.....R.....h...........5.....g.................a.................Y...........4.....F.................l.................S ..... ..... ..... ....0!....N!....`!.....!....<"....z"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\hu.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):590492
                                                                                                                                                                                                  Entropy (8bit):5.641447107584658
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:OUyE1INoBuT80LvP9/Hs8DfcAujkatvV5RvBFZfpdVYGkb7ZNIeHK9njDi54Rryy:OUJSNI4/sA0V5RvBnuzzKY5y0n4
                                                                                                                                                                                                  MD5:AB64CF95B5231922340ECEC09182DCB2
                                                                                                                                                                                                  SHA1:9EDDEEF898E4A4C1EC6DB989587A75FC3E8A1E75
                                                                                                                                                                                                  SHA-256:E806294A2D609A514DFA416A07625FB2F173018BB2E278323F752EFC459C39F8
                                                                                                                                                                                                  SHA-512:BEC74EF13DB548FB9B225C6AFFF2841D5BD987D4EA129ADEDF6E5B852D004F89CDCF5FD4A6CCB1E4E5448EF38D488F258E3D5CC49C24775A34647CC0BB7102E5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........1%5.e.....h.....i.%...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}........................................................................./.....E.....Z.....n.................=.....[...........R...............................................&.....\.....u...........O.....v.................].................C.................&...........M.................;.......................o...........+.....;...........>.................3.................>...........2.....^.....{...........S.....z.................j.................9.................,...........6.....y...................................Q.................4...........:.....|...................................q.................-.................$.....M.................S.....k...........g.................S.......................I ..... ..... ..... ....v!.....!....+"....L"....."....z#.....#.....#.....$....#%....p%.....%....;&.....&.....'.....'.....'.....'.....(....9(.....(....*)....u)

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\id.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):486837
                                                                                                                                                                                                  Entropy (8bit):5.373459958164849
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:Xedqj3oEK2twd/yG1wF6f+eVnjHF3mmi8IxZ5wZhrwkK5cTSzo7IEji4JHF:2qj4MWFytFyVnjHFWmNIb5wZhlF
                                                                                                                                                                                                  MD5:D736B044FA41A639E13A2BFF3972A182
                                                                                                                                                                                                  SHA1:9CD13B7D8E1B11F13DBB1FBF7EB8A6263F27ED07
                                                                                                                                                                                                  SHA-256:C8E30F0C11D78C7D603DF40BF6E9B2FE896EB36A8EEE27D9621A537545B2F609
                                                                                                                                                                                                  SHA-512:DD1CF38ED3B3C93395A1AF45EC81D6B665112280B89AA5F2108DDDC6F2290F3BCA0DCC696D8DAC4967B4D58C248B2C425E6CF36CE5A93CA1F80D17B00EA2D4B5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........K%..e.@...h.H...i.Y...j.e...k.t...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.............!.....).....1.....9.....@.....G.....N.....O.....P.....R.....`.....m.....}.................u.................*.....v.......................v.................7.......................:.............................\.....}.................S.......................^.......................J.....t.................).....V.....c...........).....d.....w...........R......................./.....J.....[.............................m.......................F.......................-.....~.......................V......................./.....\.....h.................H.....U.................?.....Q.............................T.......................,.....r.......................V.......................-.....G.....U.................5.....D.................<.....U...........M.................#.......................6.............................M.....l.....|...........;.....r.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\it.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):536254
                                                                                                                                                                                                  Entropy (8bit):5.290910182310605
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:b+EGmPIUsd4x92/ii/jNLiISIqRRRsO1StORT9TjexKqcQxLcaPpzHi9fLwlSfpA:BPIxmjZxa8uN6sjoy5IkoW
                                                                                                                                                                                                  MD5:52109B028A189C75C3889300B7EC728B
                                                                                                                                                                                                  SHA1:AABD5CBBFFF52B6D89158B0D78CFD6FABDE706AF
                                                                                                                                                                                                  SHA-256:89D7EC12AA52D5F2298D3FDDFA24439BD89031C4341F1D2B9900A2E46664F7D8
                                                                                                                                                                                                  SHA-512:8766CC41EB7510F200E0F8E27A2678B3F50378AA6F1764B11DA79D120248B6ECCCFAE7A4863AE437AD66133BA0C1BB25F5242AC9DBCE87916382F18BBA1E2256
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........U%..e.T...h.\...i.m...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....y.......................I...........7.....S.................Z.....k...........c.................s...........'.....P.............................o.......................r.................6...................................{.................9.......................V...................................g.................3....._.....}.................A.....O.............................|...............................................d.......................8.............................b.........................................F.............................J.....`.....v...........$.....P.....e...........A.................#.....f.......................<.....g.....z..........._.................g...........W.....n...........h................._............ ....- ....z ..... ..... ..... ....\!.....!.....!

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ja.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):655212
                                                                                                                                                                                                  Entropy (8bit):5.686448471913808
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:tPm/rHeA9VXH3Wv0WSGRpZXQ2y+BbX5znS1V7:o6UJHmccpZXQ2y+N5znC
                                                                                                                                                                                                  MD5:5C8C92313284117F3C549DC53273AE8B
                                                                                                                                                                                                  SHA1:697F746CFFBBCA1D43BBF29AC1619318BD3DC96D
                                                                                                                                                                                                  SHA-256:4C34AAFD5794886A4D091C4F4A97642BB9F199B90203D904E14E503FC3EDB845
                                                                                                                                                                                                  SHA-512:1C1232B6CDE8CBE2D827BEF0C0495165B4CC27494249BCB44B73D03404F3070AAF2CBD72F8425D24D197F14757553157858951280E524608AADA053EAE028DDC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$..e.....h.....i.....j.....k.....l.....m.....o./...p.<...q.B...v.N...w.[...y.a...z.p...|.v...}.................................................................................................@.....a.............................v...........*.....B...........m.......................L.................a.........................................&...........".....Y.....~.............................e...................................$.....3.................K.....Z....................... ......................."...........#.....d.........................................4.................0...................................P.....b...........M................. .............................:.................:...................................!.....B.............................6.................4.................. ..... ..... ...."!....b!....}!.....!....R"....."....."....J#.....#....R$....g$.....$.....%.....%.....%.....&.....'....G'....h'.....'....V(.....(.....(....;).....).....*.....*

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\kn.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1316964
                                                                                                                                                                                                  Entropy (8bit):4.222438704648711
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:g0bF+kiawFCJiDQ6f03QIBRFUc407L5PtzUk4pt+h9bu:g0bPinmJL5ZUV
                                                                                                                                                                                                  MD5:17D2349C9191C0E9D70B03FF3E240B3C
                                                                                                                                                                                                  SHA1:7B425B76CD479273CA092606DBE326A1301FA472
                                                                                                                                                                                                  SHA-256:EB1BD5B8F89B9E9B568912455AD3B8A791F3370A34411E6FC982A661CC1B05AD
                                                                                                                                                                                                  SHA-512:7EC6AD8B7CFC80782B8CA1702BE66B56FFB8AADB307CAFC5F6C4D365FD3FD273FFFF737E496A36F9162EFDCA5189B06A137753BA3A70418F490DEFA9884F2B96
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........x%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.4...w.A...y.G...z.V...|.\...}.n.....v.....{.......................................................................]...........(.....\.....]...................................t...........h.............................e.......................B...../...........y......................./.............................7.....=...................................a.............................. .....!.....".....#.....#.....$....0%....{%.....%....l&.....&....Q'....d'.....(.....(.....(.....).....).....*....5+....o+....C,.....,....x-.....-....O....../....r/...../....v0.....1.....1.....1.....2....T3.....3.....3.... 5.....6.....6.....7.....7.....8.....9....]9.....9.....:.....:.....:.....;...._<.....<.....=....F>.....?.....?....#@.....A.....A.....B....\B.....C....XD.....D....7E.....F....HG.....H....cH.....I....JK....HL....}L.....M.....N.....O....*P....bQ....GR.....R....:S.....T.....T.....U....VU.....V....rW.....X

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ko.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):553673
                                                                                                                                                                                                  Entropy (8bit):6.059297407958035
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:OokI3UKOV2Ngi7w2IyxxMSVG0GTZn8t8OQ4E3hkaYrLCqD5dEp7RqGT8U1wXq7hW:sFel5i8QzCr
                                                                                                                                                                                                  MD5:714958C45E5EEBD32B6799FFD76159C0
                                                                                                                                                                                                  SHA1:B38CA8FFBEE6FDAAA00DE9C77074F4F6BBFEFB8D
                                                                                                                                                                                                  SHA-256:87F8003E7FE90A487C1007A626D30B8A77FEB54E627D3FE365DDB6A66A7E4AC4
                                                                                                                                                                                                  SHA-512:E60E77022902BF13E747354BD1AE5E9C3F4E8E6642D52C0EABDBAFF7B829ADD3251851A02B65F941985D31C7D5EA02347023F33269336B8B476E2314924022BB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........w$..e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.'...z.6...|.<...}.N.....V.....[.....c.....n.....v.................................................................a.................9.................S.....f...........J.......................t.................+.......................0.......................?.......................P.......................i.......................].......................\...................................U.....l.................B.....Y.................$.....4.........................................1.....M.................E.....U.................P.....c.................O....._.................N.....^...........S.......................^.......................Y.......................d.................).......................N.............................l.......................`................./.......................q.................!.......................+.............................|.........................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\lt.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):594260
                                                                                                                                                                                                  Entropy (8bit):5.634301538864236
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:55mDjVARjMAUbgXaG1DT/G5qzIx1JgNR86SNM:+9IMQqOG5LxngNRX
                                                                                                                                                                                                  MD5:1051DEEA3EB2BC73A1CBEF894635541D
                                                                                                                                                                                                  SHA1:A122975C2C3366FC4D87AB4C6C3C6D65FF6AA4A9
                                                                                                                                                                                                  SHA-256:95253DEAE9554317C60490A982A4D310C87238096E3BAD0329E8BF4C944CBAED
                                                                                                                                                                                                  SHA-512:2DBB1DA602FE9966C03DEBB03C1B793574968D68C5386FBBB7E56E97D6626DBE4991ECA6B9C470BF778A327E3DB29530977D25BA40E5704501696DC8AF8D0302
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........Z%..e.^...h.f...i.w...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|. ...}.2.....:.....?.....G.....O.....W.....^.....e.....l.....m.....n.....p.....~.......................F...........4.....O...........e................._...........9.....S...........J.........................................S.................&........... .....T.....y.............................d.................%.................M.....]...........u.................f...........D.....b...........D.....k.................i.........................................W.................(.................V.....e...........c................./.......................e.................!...........T.................8...................................C.....k...........].................=.................-............ ....& ....9 ..... ....`!.....!.....!....S".....".....#....>#.....#.....$.....$.....$....v%.....%....8&....X&.....&.....'.....'.....'....:(.....(.....(.....(....Z).....)....**

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\lv.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):593573
                                                                                                                                                                                                  Entropy (8bit):5.6301516471633715
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:fZBZxz1/4i+sRe28W/raTmNstVFph6T97vcGj/kbO15UyYTbEwTe757esFOHAYX0:hNylsRpWXQT9PrV15cEwTY5tONA19
                                                                                                                                                                                                  MD5:0308AEC65AD35B2282571098DDDBA5AE
                                                                                                                                                                                                  SHA1:5DD9A983BE7C29405575C658E73633F678FE4469
                                                                                                                                                                                                  SHA-256:54541C9ADEE8711C3D391B67B2081214166621212A670B0F2D633D1E2623A757
                                                                                                                                                                                                  SHA-512:967D4B19F8455B3D5633E6B9ADA3904B7974414990E705590FA2D2D0B2E721789165D4A2877C56287BCDEC27205C3D47D1F7CDFE912D4A27023E3AA087626ABF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t./...v.D...w.Q...y.W...z.f...|.l...}.~.....................................................................................................p.................]...........(.....;...........p.................\...........-.....L...........+.....g.....r...........g.................#.............................9.........................................m...........3.....F...........j.................X...........N.....o...........:.....`.....v...........C.....l.....~...........Q.....x...................................]................. .................E.....T...........=.....p.................y.................V...........I.....a...........$.....?.....T...........S.......................y.................>.................H............ ....5 ....N ..... ....R!.....!.....!.....".....".....".....".....#....P$.....$.....$....N%.....%.....&..../&.....&....*'....d'....t'.....'....F(....a(.....(.....).....).....)

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ml.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1369647
                                                                                                                                                                                                  Entropy (8bit):4.256761759711836
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:oQyj0aIA2cMmsbbAU4LJxFq/ixn9mMl6UQ6KfUBp/OZCBEmeyo3ewhp5A47uhs4s:oQygaIiMGKfUBp+yo3eo5A47ks4+3X
                                                                                                                                                                                                  MD5:83069898AFA7CB0A288CF8D17505536F
                                                                                                                                                                                                  SHA1:2EC0F1F3CCDE4F88BBDF37EB1BF8FEDA82B12AB1
                                                                                                                                                                                                  SHA-256:957B57BAC9D8A927BE5CFBB74D23DCF69CF2678ECD4FCF2158A391F7A02FEA87
                                                                                                                                                                                                  SHA-512:E6F549C732F0BD0938B140978C49B2AA097876970ADFD7B87CA593ED54C3456C041FAC28883CFF7DA61C7EE3952A6C7EF2C4FAEDBFE6A23522FF6FFB083C24BB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........t%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.................. ..... ....^".....#.....$.....$.....%....j&.....&.....&.....'....|(.....(.....).....).....*.....*....*+.....,.....,....V-.....-....n....../...../...../.....0....n1.....1.....2.....3.....3....W4.....4....c5....+6.....6.....6.....7.....9.....9.....:.....:.....;....!<....Y<.....=.....=.....>....T>....0?.....?.....@.....@.....B.....B.....C.....D.....D.....E.....F....ZF....|G....sH.....I....TI.....J....UK.....L....SL.....M.....N....yO.....O.....P.....Q.....R.....R....-T....(U.....U.....V.....W.....W....eX.....X.....Y.....Z.....[

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\mr.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1125467
                                                                                                                                                                                                  Entropy (8bit):4.28845834623339
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:JASH222GPf+r97QyNiMJ0voJZVLF2wnVPbtwpFFyGRU3RxYR3lDdjE9xOUq/1A3Q:rYo+rdQyh0oaSpgKZmbzAyCLj5cpAK9T
                                                                                                                                                                                                  MD5:E45351AD81BE0444C2731E0FE2457BFD
                                                                                                                                                                                                  SHA1:23CAACD7F2354CB3C1A72CC89799DAAE3089EDE3
                                                                                                                                                                                                  SHA-256:BF42C87554153B83E53ED8B839A74A50E893ABDA190D7DDD73521CC6D121DFA7
                                                                                                                                                                                                  SHA-512:B93E70B09EB536A2AB58A064B05AA13D6B0EED08EE1681AB9C59374D119A8BF3CCC2793FE005D0C51734AFE25794C9BBD759EF7085A4B9FA6C3DD5E29D0F39B3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........*%<.e.....h.....i. ...j.,...k.;...l.F...n.N...o.S...p.`...q.f...r.r...s.....t.....v.....w.....y.....z.....|.....}.........................................................................>.....`.................#.....[...........U.................H.............................8.....>.....;...................................$.................$.....D.....N.....,.................f...........m.......................~.......................a...................................P .....!....]".....".....#....g$.....$.....%.....%.....&.....&.....&.....'....H(.....(.....(.....)....~*.....*....&+.....,.....,....M-....y-....@....../....a/...../....D0.....1....]1....}1....P2.....3....w3.....3.....4.....6.....6.....7.....7.....8.....8.....8.....9....4:....j:.....:....X;.....<.....<.....<.....=.....>.....?.....?.....@.....A.....A....CB....sC....lD.....D....>E.....F....MG.....H....3H.....I.....J.....K.....K....KM....UN.....N....cO....lP....JQ.....Q.....Q.....R.....S.....S.....T....3U....'V.....V

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ms.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):510468
                                                                                                                                                                                                  Entropy (8bit):5.247079358159538
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:v8fC43K+W84G7nWiBx7+2YRldjiMIUcGm95bbHxOM9LLEWVHc:0V3KE4CnPx7AldPc9530Me
                                                                                                                                                                                                  MD5:EE31ADEDC69D7926395E4740E724245D
                                                                                                                                                                                                  SHA1:4403D976C2C559747E15B219E76342ED3B41E5CE
                                                                                                                                                                                                  SHA-256:280AE72F9FB328D6B9E0BAA5C27157E7E5BF0EBF699EBEAC597DA0ED4F670776
                                                                                                                                                                                                  SHA-512:69426971040E9C8C5F9645A9E8ECE83E166575C23D9B1C5DB3F5A22488E5F7988127799FFF4CBC7445D8407E5F0761A666713C433030ACCCA4C991DD323F3181
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.%...t.....v.C...w.P...y.V...z.e...|.k...}.}...........................................................................................................s.................N.......................p.................7.......................Q.......................G.......................I.......................o...........(.....@.............................m.......................[.......................x...........E.....W.............................a.......................3...............................................&.....................................................m.......................`.........................................0.............................b.......................?.....h.....y...........(.....]....................... .....,.......................-.................;.....T...........K.......................|.................5.............................Y.....{.................9.....f.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\nb.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):495339
                                                                                                                                                                                                  Entropy (8bit):5.423906423434989
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:GsKfvlCYYJ+8hz2bdXw5Op7fW9SighmrlDhP5RV5iM43CuMhVCD9vt:KVCj0bxw5Op7fW9S8lNxRV5iM43JF9vt
                                                                                                                                                                                                  MD5:03F4AB4F1D042E41B37438AD38DDC794
                                                                                                                                                                                                  SHA1:D465F7B3B05AC289F7C96FB9CF6603C30AF81466
                                                                                                                                                                                                  SHA-256:1A35A4E5348CA851ADEC4EA1C666D56750D39174A35D74AB87CD061ABE063BF3
                                                                                                                                                                                                  SHA-512:D0007B98BA9D9F2BC102A516CDE49B3982DB4698A1BD31E22104F5F634072943C98C7CD53E8CB02E320FD3A1455F8AE42DD99679A527C64723BD3BBC37743C23
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........^%..e.f...h.n...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|.....~.............................Z...........M.....b...........+.....d.....w.............................W.......................X.......................F.......................G.......................s.................;...........H.................".......................^...........#.....=...........].......................h.......................=.....b.....r........... .....E.....U.................T.....h...........(.....V.....f.................`.....p...........#.....L.....\.................H.....V...........@.......................N.....t.................2.....Q.....j.................9.....K...........8.....w.................b.......................n.................$.....u.................2...................................E.....n...........6 ....b ....u ..... .....!.....!....<!.....!....."....5"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\nl.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):511257
                                                                                                                                                                                                  Entropy (8bit):5.365372926149592
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:syWoBilbWusvbgQ5Max5btohx4Gp7KYjOTy:syWIilbWusB5Max5behx4Gp7KYC2
                                                                                                                                                                                                  MD5:834219D952A58BDB01B40CCE5269D449
                                                                                                                                                                                                  SHA1:C325FDD7E21E993B745233086C9DF4376901E2B4
                                                                                                                                                                                                  SHA-256:9B46EEC8A0B0B568DDC35387CA02C2116BAA7520EFB04D92325FEC17D5091353
                                                                                                                                                                                                  SHA-512:9C28177D8530B24FEDCCDD7B4562A87CDF08567410D82FFC3E5A874474695A18EB533E7D55E4A901B77C873A22BEFF570B5C5CD79B47947B5BF3AF2C38B9D486
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........M%..e.D...h.L...i.]...j.i...k.x...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}....... .....%.....-.....5.....=.....D.....K.....R.....S.....T.....V.....b.....r.................#.......................r.................".................N.....d...........1.....g.....~...........).....R.....a.................5.....C.................R.....s...........K.......................`.......................o.................-.......................v...........5.....N.......................%.....s.......................G.......................6.......................8.............................p.......................O.....{.................D.....x.................c.......................r.......................X.....y.................F.....n.................R.......................W.....u.................M.......................b.................H................./................._.................O.......................8.....\.....l............ ....\

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\pl.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):571219
                                                                                                                                                                                                  Entropy (8bit):5.764870780434209
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:HlRzWoOB/k0wvZfQfR6HA5bFVP3CUdCe3mhUrMAmW1Qh4Mh59M14scly:HlR9glMe1Qhz53Q
                                                                                                                                                                                                  MD5:75E71F0C6E72AC4F9DAD168BA307D2B0
                                                                                                                                                                                                  SHA1:41129512809F2AFAE64B04FB1EFA81D9C22B8389
                                                                                                                                                                                                  SHA-256:C8F76EF189D14A0C75407DC40348CD9171F5997A94A4961D86152CEA2258ECF6
                                                                                                                                                                                                  SHA-512:EBB279F36D612CB1D94E9333140CACFC9E7946A646CF28CD75F55AB20680B4ED5645AC9887FA528A07F8BB03FE942D8E104D63AF1B11CB9F79826F34E53DBEF6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........a%..e.l...h.t...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.....|.............................b...........].....y...........G.................&.......................s.................(.................................................................;.....a...........W.................4.......................J.......................v...........:.....V...........g.................C.............................O.....r.......................6.....D.................F.....Z.................H.....Z.................@.....P.................'.....7.................'.....8...........".....o.................!.....>.....U.......................E.................5.....J.................k.................5.....S.....j.................C....._...........<.....................................................1.....\............ ....C ....T ..... ..... .....!.....!.....!.....!....("

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\pt-BR.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):537107
                                                                                                                                                                                                  Entropy (8bit):5.4226739022427255
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:cneZxthZ8l/gooNBXBLZWkoyVH553JBi90sRaY5Cs:rxOl/go+5NJ9sR15x
                                                                                                                                                                                                  MD5:F8BCB6FD83B0425ABB9B214535025140
                                                                                                                                                                                                  SHA1:51E72F9B419393674E8CC9AC3ABABD6FCDEFA251
                                                                                                                                                                                                  SHA-256:3EF0114EAF2268262CD594BFE33B56B24FB416D23D6FD125A9AE022D8ECEAA99
                                                                                                                                                                                                  SHA-512:A5DC5E3EAD99820D3EE9B83CF58670923EDB8B538DAE84FFC6B1AEA9869FEC58F0A5E8AD8BA5A792736D1A593B4B6664D734BE3EF524FC2B036B268FE108B5A2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........c%..e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~...............................................l...........T.....p...........7.....p.....................................................0.............................f...................................B.....r...........g.................B.......................g...................................S.....l...........x.................=.............................y.......................v.........................................!.....x.......................W.......................1....._.....i...........&.....^.....o...........j.................(.....r.......................C.....i.................E.....]...........V.................:....._.....x.................E.....X...........(.....s...............................................G.....r...........$ ....L ...._ ..... ..... ...."!....7!.....!....."....L"....l"....."

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\pt-PT.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):539844
                                                                                                                                                                                                  Entropy (8bit):5.396781215354528
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:rtptZSTJLUHxk7jZieJVJJxhHLshYfVh85FKybSRLi:rtpmtAkt85FKsSRW
                                                                                                                                                                                                  MD5:90964C1734B1C36442DD69EDBD85882C
                                                                                                                                                                                                  SHA1:BA1FF66B255FE432278BC44860C6C4B3DA975296
                                                                                                                                                                                                  SHA-256:B9439000C1C75565C2F223612079A51971AC54A3786D5B631F20436447929465
                                                                                                                                                                                                  SHA-512:5A6AFC90FF5A3A65E9E2F4347635A82CCBFCC9D1F5D6B206828650AA49A2DCC59D3C8833CBFB9FC7CE8F347A28D718567E1CC300758A2EA5126C67E0967AEDC8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........~%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s."...t.+...v.@...w.M...y.S...z.b...|.h...}.z...........................................................................................................x.................^.................G...........'.....B...........-.....q.................8.....b.....r.................F.....X...........F.................,.......................f.................*.................).....9.................W.....l...........b.................7.......................".....|.........................................*.......................2.............................s.......................L.....y.................:.....n.................].......................m.......................2.....L.....]...........!.....N.....h...........A.......................W.......................A.....w.................M.................;...................................e............ ....l ..... ..... .....!....`!.....!.....!....."....h"....."

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ro.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):559523
                                                                                                                                                                                                  Entropy (8bit):5.4511750881399434
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:JF04spOl5qs9TjmXHjvyJeyFodxOINkjK0yGZq5zZyo2ts2H/ktO3:JS4sAKQmXHuJRFozO/u0zq5zAoY/b3
                                                                                                                                                                                                  MD5:3DFCF8B66CE93A258D1631685A137E20
                                                                                                                                                                                                  SHA1:4B10119ACB26C44EDFF2028D27E960B93C0BD812
                                                                                                                                                                                                  SHA-256:5E5D1CDE0FCEB570C20E7485B32F0EF7AD59569B93574FCBBC7AEAD4906E7D14
                                                                                                                                                                                                  SHA-512:17FE50ECD7D44EE5D652B4240CC3B01CF796F9EC11C5FDFE5AF9DE63999F10D2A50842FDF95FA2DBB4982139C34A9DFB11C8BC2261180862652A92F1497692C4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........]%..e.d...h.l...i.}...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t.............................A.................9.................3.....G...........N.................?......................._.......................B.......................Q...................................L.....p...........N.......................r.................-.......................~...........N.....|.................9.....V.......................%.....v.......................[.......................X.......................E.............................k.......................S.........................................M.............................e.......................j.................7.................".....t.......................e................................... .....5...........2.................'.......................t............ ....$ ....x ..... ..... ..... ....z!.....!....9"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ru.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):919180
                                                                                                                                                                                                  Entropy (8bit):4.8229638553919765
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:vzmSGKfQjRo4YS5KCx/K6NzJ9ZF/Aalla4qSGsN9z/0TYH8eXN2hVO3j/tSbzvMv:vYXxm506tU
                                                                                                                                                                                                  MD5:DE3B5FAF5D64B16867BE213591E545B9
                                                                                                                                                                                                  SHA1:5B8BDAF38278604B5031E1C944349A31FDD281B4
                                                                                                                                                                                                  SHA-256:07DBEEE5A0B9C6C978D1C593DB5DD6152003FA12170A8189BDDE77908D826DCF
                                                                                                                                                                                                  SHA-512:5808A46DD05302338EF63B1F1815828840218324A6FBB1AE6B19F62D803795BA13F7AB7AEE1E39137F61F99651AC80166781CDB1F295FBBFDBB218C5A293967F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$..e.....h.$...i.5...j.A...k.P...l.[...n.c...o.h...p.u...q.{...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................#.....*.....+.....,...........K.....h.................h.....(.................y...........{...........~.....;.................y...........>.....x.....'.........../.....R.................H....._.......................A.....4...........~...........q...........V...........2.................8.......................G.....K.....E.......................'.....T...................................V...................................O.....t.........................................W.....n...........k.................9........................ ..... ....V!.....!....."....|"....."....."....K#.....#.....#.....#....s$.....%....{%.....%.....&....%'.....'.....'....s(.....(.....(.....).....)....>*....~*.....*....|+.....+....d,.....,....a-......................./.....0.....1....c1.....2.....2.....2.....2....o3.....3.....4....64.....5.....5....+6

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\sk.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):577498
                                                                                                                                                                                                  Entropy (8bit):5.8098091220164525
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:rSkwf/qsOkNEpiIip+RC5zwbLfrQzLPxt9eI:3wf/qsgpiCC5OLkBtEI
                                                                                                                                                                                                  MD5:421D713180D716A060629C334630ED80
                                                                                                                                                                                                  SHA1:FD2D0A0A6D7A27C40A725C1757299AFE6D3A12FB
                                                                                                                                                                                                  SHA-256:BE66B2442B5B4A6DC28A14545E2C4A0BC7F9E6547A89F974D7B8A63525C1855F
                                                                                                                                                                                                  SHA-512:A6C8F62DFE81008A888FAB89BCCDCA8242650771BC2B07CB6B51B77DDA2C8EB9F2681D6260CA584ED2BDBC1EB6A60B78C8E07445FAA4E15D2B30134989263EB0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........_%..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.'...|.-...}.?.....G.....L.....T.....\.....d.....k.....r.....y.....z.....{.....}.............................p...............................................c...........7.....Q...........".....[.....r...........A.....p.................<.....e.....y...........R.................G.................6...........-.....h.................d.................7.............................-.....~.................O.....o.................E.....k.....}...........>.....e.....w...........W.........................................*.......................;.......................Z.............................5.......................8.....S.....g.................8.....M.................O....._...........\.................1.......................5.......................U.............................W ..... ..... ....R!.....!.....!.....".....".....".....#..../#.....#.....#.....$.....$.....$.....%....M%

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\sl.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):554338
                                                                                                                                                                                                  Entropy (8bit):5.479799007655059
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:v/ym7W5Op5rB2I+EbME5G8coJHvbxi/fz4Cqc:Xym7Wop5T3ME5G8cii/fz44
                                                                                                                                                                                                  MD5:C2C99E4B36E16403DED88CFF651671C7
                                                                                                                                                                                                  SHA1:F3257F4B444CD2E33451A76BD55F81372F622681
                                                                                                                                                                                                  SHA-256:8095CE45373D8DE8DD243FEC034643060CBFF67A48FA81414E31A0B9327EEFC4
                                                                                                                                                                                                  SHA-512:D8C76B7C9C3B6A1CF5C72ABED0B53E2552EE28D1575CBE3B680904281F07EC797D37A4D60590490984C6C0DCB33D3C688869DEE9C51920D4B41862D1E5FD7DC2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........K%..e.@...h.H...i.Y...j.c...k.r...l.}...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................'...../.....7.....>.....E.....L.....M.....N.....P.....b.....p.................%................. .................'.....8...........D.......................z.......................y.......................l.................!.......................a.................-.................E.....[.........../.....f.....z...........t.................e...........6.....\.................".....:.................................................................6.....J.................D.....U...........;.....|.................M.....{.................Q.......................m.................$.....y.......................^.....|.................Y.................*.......................[.......................T.......................t.................&...........p.......................0 ..... ..... ..../!.....!.....!.....!....+"....|".....".....".....#.....#.....#

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\sr.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):853696
                                                                                                                                                                                                  Entropy (8bit):4.754963351356009
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:QhjTzIuup7+q2YZAYI8glSDdrLuzQhrUPb7FW5YrT0xs7xH4rL37SjeYM/k/p:0jvwvwlW5nxoP
                                                                                                                                                                                                  MD5:D0045EF8D5EA1347F09983410EFFF00C
                                                                                                                                                                                                  SHA1:4C88AEC2A3D54E44E0D05281201B06917FAF17AD
                                                                                                                                                                                                  SHA-256:A50C82C0DB17E2AA4A62068CA2B210FD9847D32BF2134D6D5AF1FC4B7050091A
                                                                                                                                                                                                  SHA-512:1694CBD28BD29E5F394E3F6CEC01F9EFBB9DA8358F59FF80F550D4059ABDB02E02D4D4DA007E0646FA5CFC812FF8F94FE0A747BDF8B6F8449F02D28D83D536D5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........j%..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.....................................................7.....$...........e...........]...........j.................S...................................A...........p.................o...........,.....C.......................?.....?.............................%.................n...........g...........r.....).............................a...............................................6.....Y...........V.................q...........r...........A.................7...........P ..... ..... ....R!.....!....."....6"....."....e#.....#.....#.....$....S%.....%.....%.....&.....&....5'....]'.....'....l(.....(.....(.....).....*....k*.....*....X+.....+....K,.....,....>-.....-.....-................^/...../...../.....0....?1.....1.....1.....2.....3....C4....a4....O5.....5....h6.....6....l7.....7....K8....l8.....8....g9.....9.....9.....:....5;.....;

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\sv.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):498248
                                                                                                                                                                                                  Entropy (8bit):5.542683564471982
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:g3MKUcRe61TO/AYcNUAvSCZxemvZl1BI4RFcz9RyoxGOGW3IiRMaSOmDE/xWcqdk:g3/LCAYcGC1l5+5dzB
                                                                                                                                                                                                  MD5:02AD118E6E093D71E32291958F5A44FA
                                                                                                                                                                                                  SHA1:111974CF0FBC304B1395A6D68FF3A79A25B72B76
                                                                                                                                                                                                  SHA-256:A615C0756155436781F8E8543D4B4163B7D96CBDF58BA86DDCE8B39C5B7A17C8
                                                                                                                                                                                                  SHA-512:717A438BBEE8D21011C1DA203B5126EF4AC330CD94013A93EEBA518E5E33772A8667A84C368B1A9B2D1E151D8A81E53CD0C5C59C58A578BD4AA1345115C4A49B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........)%=.e.....h.....i.....j.!...k.0...l.;...n.C...o.H...p.U...q.[...r.g...s.x...t.....v.....w.....y.....z.....|.....}...............................................................................1.....E.....Y...........^.................%.......................a.................G.................P.....l...........".....Q.....a...........!.....R.....b...........F.........................................K.......................U...................................[.....q.............................j.......................F.......................#.....{.........................................$.............................v.......................f.......................d.......................x................. .....s.......................I.....g.......................;.....M...........%.....b.................F.....e.....{...........7....._.....t...........-.....h.....~.............................m.................;.................7.....J.................. ..... ....l ..... .....

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\sw.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):524797
                                                                                                                                                                                                  Entropy (8bit):5.339786582850613
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:Za8pzL2fuucrB5G7CCRdCAUQbQW4243EaeFNUq89F1ggt45rUAcw06yJMkJPe/Bb:HkJ5IY
                                                                                                                                                                                                  MD5:AD41974EFF2483E260B558AC010879DC
                                                                                                                                                                                                  SHA1:BE8B566A4CE4A529F8EB0352ABC7A2023A9B5355
                                                                                                                                                                                                  SHA-256:ECC84D9A40448772697C14F27B1297FCDCE12DF30D008A7D4149A6AA587D85A8
                                                                                                                                                                                                  SHA-512:2B731DAAD19CA5E43D29106C1EC06B8BA6B54EF44571FD51C2CF65DA4C9BA1941D78808D03F2056A839E2E76844E979B775AFC7B470640101328B572D10E0C4E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........X%..e.Z...h.b...i.m...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....i.....{.......................;................. .......................@...........3.......................L.......................=.....h.....w...........".....Q....._...........,.....`...................................[.......................i.......................j.............................&.......................F.....n.......................:.....C.........................................=.....K.................0.....B.................C.....N.................%.....2.................%.......................X.....q...........$.....P.....l................._.................@.....|.................h.................>.............................f.................'.....|.................f...........;.....O...........1.....t...................................L ..... ..... ..... ....n!.....!....!"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ta.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1358123
                                                                                                                                                                                                  Entropy (8bit):4.034318859603253
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:obtBkiv2nWiuF5uzGtR6cA25tm1vYpiMyj:afdenWzF5uz/cA25tm1vYpiMyj
                                                                                                                                                                                                  MD5:2F628ABBFE91A7738CD47142E42A4CCB
                                                                                                                                                                                                  SHA1:9FB966C32D237E3ADDBED97478CB84697BCF1FE3
                                                                                                                                                                                                  SHA-256:3C8DCE29BCF2B60BCC273229AFCA64EB07A73C729D0D20E35455CC5D933E9A69
                                                                                                                                                                                                  SHA-512:9A1F0A40E8FF8E68DD08DBEA55DCFF45E7BBE76DE45520323832A9004698E6AB30D53ECA58EFE6DB08621F940A80C3AE441E038BCEFA4206CAFAF664E6CC0BFB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........@%&.e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....?.....m.................<...........7...........&.....x...........b...........*...........\.................'.............................Q...........l.....N.........................................o...........w...................................=.....e...........9...... .....!.....".....#.....$.....%.....&.....'.....(.....(....:).....)....o*....K+.....+.....+.....,.....-..........;.....f/....p0.....1....N1....E2....63.....3.....3.....4.....5....56....c6....\7....L8.....8.....8.....9.....:....\;.....;.....<....<>.....?....\?....W@....?A.....A.....A.....B.....C.....C....HD.....E.....F.....F.....G....GH....UI.....I....]J....5K.....K....KL.....L.....M.....N....]O.....O....-Q....@R....!S....rS....^U....HW.....X.....X....FZ....S[.....\....}\.....]....._....._....)`....-a.....b.....b.....b.....d....;e.....e

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\te.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1255925
                                                                                                                                                                                                  Entropy (8bit):4.288346104977189
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:sHU9G7McKNBJhot56d4e/gb0HrWs05Bk3p1FZNViFlV2wtg+NFqIrOlHXAAFwQVV:s0X1u5EM2X
                                                                                                                                                                                                  MD5:44C01878B175E976E75CE036E4D7A495
                                                                                                                                                                                                  SHA1:91ECD7611C7C25F8615F234537819BE42799B288
                                                                                                                                                                                                  SHA-256:7F28D607ED94E339B677CD5556202FB60F7E801E74AF16397EF610C7302F6957
                                                                                                                                                                                                  SHA-512:3AFBFB3D6A95F1D61FE6A409729C768F1E4F0B3B4C1B6E35AF806F0AABCB6FF516CC70E9A112C2C6CEDE88C2778BFAE08A3E6AFFD05C9D5BC8A5DD4A4EC9BDD3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........r%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.1...w.>...y.D...z.S...|.Y...}.k.....s.....x.......................................................................T...........F...........x...................................{...........b.........................................z.............................U.................}...........=.......................*.....`.....T...........+.....g.....^...........1............ .....!....."....|#.....$.....%....#&.....'.....'.....(....H(....q)....6*.....*.....*.....+.....,....&-....g-.........../....20.....0.....1.....2.....3....[3....{4....L5.....5.....6....#7.....7....i8.....8.....9.....:.....;....b;.....<.....=....N>.....>.....?....C@.....@.....@.....A....EB.....B.....B....wC....,D.....D....%E.....F.....G.....H.....H.....I....^J.....J.....K....FL....$M.....M.....M....@O.....O.....P.....P.....R....<T....mU.....U....0W....AX.....X....lY.....Z.....[....;\.....\.....]....Z^.....^....._....\`....Wa.....b

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\th.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1055231
                                                                                                                                                                                                  Entropy (8bit):4.333705516374822
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:78XSN9LyZYArTJz1L/L1XPhHsbhRy1cW+v1H5UJEyL3ftj8wlz9eTRo94G+K9uLO:78XBS5j5k
                                                                                                                                                                                                  MD5:8470D57577F417DA93D40889CBE9F4BF
                                                                                                                                                                                                  SHA1:6B497939F2B196A1B84E06D8AC2449B554C14A60
                                                                                                                                                                                                  SHA-256:F5118CA292C570E69972FF8A7A81940A98DBF4519532CEFF133488A329825F78
                                                                                                                                                                                                  SHA-512:EFA31D2C3DC584AAA4120C931749FF1CC0F21D263530DD6BD2D9F66BEC74159998CBF679A78B8D231FAB5DA1F0CB48A9D9DFACD0E0E85336B234B87B2457BFF3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$..e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.(...t.1...v.F...w.S...y.Y...z.h...|.n...}...........................................................................................s.......................V...........]...........^.................k...........A.....z.....U...........H...........j.................s...........<.....U.....x.....3.............................$.....u.....C...........n...........]...........j...........e...........~.........................................=.......................H.......................2.......................: ..... ..... .....!....Z".....".....".....#....k$.....$.....%.....%....P&.....&.....&.....'....K(.....(.....(.....*.....*.....+.....+.....,....(-....t-.....-....b...........-/....d/.....0....r0.....0.....1....92.....2....x3.....3.....4.....5....@5....p5....E6.....6.....7....d7....c8.....8....g9.....9.....:.....;....6<....W<.....=.....>....[?.....?.....@....fA.....A.....B.....B....^C.....C.....C.....D.....E....<F

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\tr.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):535874
                                                                                                                                                                                                  Entropy (8bit):5.6117453642537285
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:KErTapWZp08qQdrdwZiRDhzXkKxv8CXHXki4wge75MW/2+qi1nEedGAMYw/KFT6Q:KECph8qeoi7zBkiN5MW/B
                                                                                                                                                                                                  MD5:04D37B8E9DB287042E86D0623063F9CA
                                                                                                                                                                                                  SHA1:C6C3C32350737EFBC938F59A12D1D4A1C2ACA736
                                                                                                                                                                                                  SHA-256:0FD794B314D12652CA5C1986795A00BD0116B44A3163D2EA0B26560E3AD23EEE
                                                                                                                                                                                                  SHA-512:38756868FDD0045AA3E10D26E89F923759AFF7FB4C984CAE2FC46091D737E6C9B5EDD924948671ABE4B9991E150DCB0068143618911595F021332A5DBA7AD912
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.%...r.1...s.B...t.K...v.`...w.m...y.s...z.....|.....}...........................................................................................5...........X.................7.......................q...........,.....G.................C.....V.................&.....5.......................*.................,.....N...........A.......................f.......................].........................................].................-.......................3.................!.....2.......................,.......................;.................A.....R.................E.....R.................>.....J.................C.....P...........U.................'.......................(.....u.......................\.......................}.................9....................... .....y.................8.............................6.................N............ ..... ..... ....4!....z!.....!.....!....Z".....".....".....#....x#.....#

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\uk.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):918373
                                                                                                                                                                                                  Entropy (8bit):4.858278654048673
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:/T0LytA6d8Nj7RMRWYPnfzKj0meRi8ICN5rB3IjtAlLEpdcuPLNiXEqqbQS0w:/Ys8Njtgz55E5
                                                                                                                                                                                                  MD5:BC19ED011123CE8CE343BA2BE9DAA315
                                                                                                                                                                                                  SHA1:D588DF92475BB650D1E2BFC15E558315E90C9425
                                                                                                                                                                                                  SHA-256:EF7FFD8792B482829F31924241E6BD12DCCDFDF404A0781BB28747C308649C0A
                                                                                                                                                                                                  SHA-512:6B0960807F27C7653E7D851D503F5564F773C9E4290D4745566A0C3911CC0EF12E90F47DE883C541129AD7D294A766F226DC689AA343A00AD72049BF3D5C3713
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%V.e.....h.....i.....j.....k.....l.....n.....o.....p.#...q.)...r.5...s.F...t.O...v.d...w.q...y.w...z.....|.....}.....................................................................................?...........e.....(.......................!.................{...../.......................J.............................|...........:...........&.....;.........................................K...........9...........3.....Y...............................................!.................\...........$...................................<.....]...........\.................l...........j...........&.............................,.....v.............................. ..... .....!....`!....{!....t"....D#.....#.....$.....$....!%....e%.....%.....%....]&.....&.....&....Y'.....'....x(.....(.....)....<*.....*....++.....+....,,....`,.....,....4-.....-.....-....%............/.....0.....0.... 1.....1.....2.....2.....3...._4.....4....)5.....5....h6.....6.....6....i7.....7....%8....B8.....9.....9....2:

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\ur.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):801665
                                                                                                                                                                                                  Entropy (8bit):5.134245422974978
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:Xc/F4PuvV+8PomR0D2nyBO3QU56JhEFZWPOWojYzQYrNwadcJKwU8ueco/9NjjFE:Xcm6V5vWR
                                                                                                                                                                                                  MD5:4144860C649699B6237186D186697910
                                                                                                                                                                                                  SHA1:A1774F0AE15891A80D40202723E4DF4044788D40
                                                                                                                                                                                                  SHA-256:2E0B43AFA9C69288586ED404564EE2F420A87FF7936BDB48EFBF21CE8F58F468
                                                                                                                                                                                                  SHA-512:D1E1FF2BDC0E746E84C36B221C7CBBD49A905B6353A23914F1F9F4A9314F495B1D273230C99488F9A3B61980211D90E996165B3DF7A3AA761E374D2A35AC8CD9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........V%..e.V...h.^...i.f...j.r...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.!.....)...........6.....>.....F.....M.....T.....[.....\.....].....b.....z.............................l.....................................................'.....\.......................:...........E.................H.................7...........C.................|...........y...........Z...........J.....i.......................*.................7.....c.....A.......................<...................................6.....X...........A.................9.................+...........J.................L................./...........+.....w.............................. ..... ....q!.....!....."....."....(#....n#.....#.....$.....$.....$.....$....g%.....%....'&....H&.....'.....'.....(....J(.....(....K).....).....)....W*.....*....2+....X+....*,.....,....$-....U-....%...........\/...../....d0.....1.....1.....1.....2....13.....3.....3....[4.....4.....5....D5.....5....x6.....6

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\vi.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):634523
                                                                                                                                                                                                  Entropy (8bit):5.786224749056375
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:HLvU+cmwJlroEKaaF/KtXy0xxcPdI9+vUx5a8hye94KieJziMHo6wtON:rs+cmwJl7a4ti0xeo5a88e1ieliMI6wI
                                                                                                                                                                                                  MD5:4185AB945C7550DE028909A55ABD3129
                                                                                                                                                                                                  SHA1:0D5DAF37C1A0528C6F1DBA47758FC18938B6F34C
                                                                                                                                                                                                  SHA-256:030D29BFC26F9F08DB13455C0D635F33B0315905D27D030D9F7813DADD899603
                                                                                                                                                                                                  SHA-512:F500B4957AB0192A570130868BD661F94B4D0CD36D6A9EA5BE45437C95DCD8923CCA1EBFACD9AC98B85420E1D9FA96A74A9D4801432296A87871867672B3C60E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........%^.e.....h.....i.....j.....k.....l.....n.....o.....p.....q."...r.....s.?...t.H...v.]...w.j...y.p...z.....|.....}..................................................................................... .....?.......................1...........E................._...........S.....y...........z.................:......................./...................................K.....}.....=...........O.....}.............................~...........C.....Z...................................X.................\.......................v.................!.................=.....N...........L.........................................+.......................@.......................S.............................^.................c...................................-...........$.....Z.....z.....#............ ....n ..... ....R!.....!.....!....7".....".....".....#.....#.....#....S$....z$.....%.....%....3&....G&.....'.....'.....(....D(.....(....-)....b)....{).....)....N*.....*.....*....3+.....+.....,....<,

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\zh-CN.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):458528
                                                                                                                                                                                                  Entropy (8bit):6.664384291438873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:nRAwX0s66VXNN5zu+E7/56aO/epD659+qjNFEwYHB07ulz:nRA3s6OXNzzt856aO/w65McNFEwmB/
                                                                                                                                                                                                  MD5:6AF4D1577C142B87DABD3262F37634C8
                                                                                                                                                                                                  SHA1:1B6152757B163455E9E1304E1BA1C09DD6593385
                                                                                                                                                                                                  SHA-256:374AED2859320A7287B64A8D1B150F7DE05A931BE3603A541B68DDD64EA361B1
                                                                                                                                                                                                  SHA-512:7F0A6CF88634E852B0E3E3B6B8A0C703602F3F606B8B34183D129F55EA2CE120E1C4D2EE2820FE027F025D422EBD0DFFE5F696303C1306F717129985CC0EF826
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$..e.f...h.n...i.v...j.y...k.....l.....m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...................#.....+.....:.....?.....G.....N.....U.....W.....\.....e.....q.........................................C.......................A.......................L.......................P.......................(.....u.......................V.....|.................q.................#.............................f.......................R.......................h.......................G.....a.....{.................4.....@.............................g.......................o.......................O.......................4.............................^.......................y................. .....i.......................E.....j.................8.....\.....n.................O.....o.......................$.............................................../.................`.....r...........>.....v.................;.....a.....p.................!.....1.......................#.......

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\locales\zh-TW.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):453011
                                                                                                                                                                                                  Entropy (8bit):6.676159403780886
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:1K2A4c8ADmJUHGF2tuDasg5V5gjkzBMOZQyZV7zeXTA:8Z8Ahwasg5V5gjkzpr/7/
                                                                                                                                                                                                  MD5:D6800784F1138702E4973CC5B074FE6C
                                                                                                                                                                                                  SHA1:A8938CED7FE5A35163C28214EADD96A6F63A8666
                                                                                                                                                                                                  SHA-256:D2C4AEC734BC94FBE7D60666343B4E419BE5E2CD1FF445A8BBF14FB4B8D3D715
                                                                                                                                                                                                  SHA-512:3AD3557908E4BA71A5062AB0BE07832D553E6A3BD56BDD59A719DF65A4D9152950AF2DE25C6C410B6407463A862C92D49E9D0EE863BEF27A792AA128458FC7E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.........$..e.....h.&...i.7...j.;...k.J...l.U...n.]...o.b...p.j...q.p...r.|...s.....t.....v.....w.....y.....z.....|.....}.............................................................'.....3.....B.....Q...........A.......................9.....b.....n.................`.....r...........".....O.....a.................2.....>.............................f.......................Z.......................R.......................:.......................).......................?.......................E.............................C.....c.....o.................1.....@.............................p.......................S.......................;.............................h.......................e.......................@.....Z.....n................. .............................t.......................].............................g.......................O.....~...................................G.......................Y.......................#.....d.....y.................0.....W.....i...........".

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources.pak

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5281234
                                                                                                                                                                                                  Entropy (8bit):7.996903093990653
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:98304:UCNks/PeeUfLi93zJ/HbKKSoDr+cgSrwrNl8dtSip6QaVaK2nwuoM10mpmjy+0V4:UAk03dB7KRcRkrNi/SQaVN2wuJ10Le+1
                                                                                                                                                                                                  MD5:54790975C932460FFA375CD0F0F8FFF0
                                                                                                                                                                                                  SHA1:05B72FF82ABB8DDAC1A92471F765B87B7FF1E9FD
                                                                                                                                                                                                  SHA-256:1EFDD507BB6F4FB07329EC7EC29EE00C952D6390BD5CFE3B41FB307C5CAEAB6C
                                                                                                                                                                                                  SHA-512:D74627207CAA35602E68AD6C08A0EBF55FE062E191A1885EB38226755D382DD3407DEA883E4337C5CFF23C1F724D64E5598EDF7A5CE93D4CC1EA6EA10C41AA0E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........5...f.\...{..)..|..,..~.F0.....B.....D.....P....H................V...........B.....k.....M.....c...........F.....$.........t@....u@;...v@....w@....x@c...y@l...~@.&...@.,...@.1...@.1...A.1...A.5...A_7...A.<...A.E...AsT...A/u...Avv...A.w...A.w...A.|..<AL...=AR...>A....?A....@A....AA....BA....CA....DA\....A.....A.....A....RIb...wI....xI....yI....zI....{I.....No)...N.6...N.>...N!B...N.E...N.O...N.P...N.R...NOS...N.....Nn....O.{...O\~..T`....U`....V`....W`x...X`....Y`....Z`v...[`.....`.....`.....`.....`m)...`d,...`.1...`.2...`@4...`.5...`.8...`.=...`.G..0aUO..1a.X..2a.]..3a>d..4a3o..5a~|..6a....7a....8ao...9a....:a....;aV...<a....=a....pb....qb&...rb......V.............................j............................w..................................................9...._........................+$...`'............b........x............................@....7.....>..x..D..y..D..z.YE..{.gF....kH.....I..../....B...@F....G...{H....I....K...2N...<Q....R

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\app.asar

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):14617068
                                                                                                                                                                                                  Entropy (8bit):5.79385325281793
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:avGNB5C7vJdzwjRm4A4s4QNhAejRmf4jNdA4J6dR3RfdV3zdT3diacttfh89Wew7:sdiA4s4QE4CPnf/9O
                                                                                                                                                                                                  MD5:3BE23F535F4189F279B715002E04051C
                                                                                                                                                                                                  SHA1:8881A8840A87F7C099B60CCA5F89CC27CC1CD287
                                                                                                                                                                                                  SHA-256:6A8BD45F434D89B24C0396B98922347CBF5C308222B8CE73B5775EFC3BE12847
                                                                                                                                                                                                  SHA-512:59076F68AFAFD80D89C4539E6C379C9D238AC5034495F02B95D1DABD935E35000E1B3E3288AA29141386DF40DF41F3B795AAEC9E0AC0A682AC863EC5BF81B05F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.....d...d...d..{"files":{".gitlab-ci.yml":{"size":5099,"integrity":{"algorithm":"SHA256","hash":"09f5ff625209a83fccc4713de0442c8ff1f40845745d91f2c773bc39dfce6451","blockSize":4194304,"blocks":["09f5ff625209a83fccc4713de0442c8ff1f40845745d91f2c773bc39dfce6451"]},"offset":"0"},"Developer_ID_Application_and_Installer.p12":{"size":6285,"integrity":{"algorithm":"SHA256","hash":"cbf7b680ee72fd3a5cb10af805f29ee260593ea89f04bc83eaadf1a5127f9300","blockSize":4194304,"blocks":["cbf7b680ee72fd3a5cb10af805f29ee260593ea89f04bc83eaadf1a5127f9300"]},"offset":"5099"},"README.md":{"size":1249,"integrity":{"algorithm":"SHA256","hash":"0a63d81f319197c9bf72add393104b12b84471f00c718eae1297fda82f2f7b86","blockSize":4194304,"blocks":["0a63d81f319197c9bf72add393104b12b84471f00c718eae1297fda82f2f7b86"]},"offset":"11384"},"applications.json":{"size":854,"integrity":{"algorithm":"SHA256","hash":"260e10501f9770be3cbe2d0cd583903a51366acefeafaff8c27acfd95003affe","blockSize":4194304,"blocks":["260e10501f9770be3cbe

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\elevate.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):128792
                                                                                                                                                                                                  Entropy (8bit):6.771174027481737
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:lHbLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWldO1fQSgqS:lPrwRhte1XsE1loJgf
                                                                                                                                                                                                  MD5:3401FBF1785F35748B2E84978E967B83
                                                                                                                                                                                                  SHA1:1E9130802E2950C0207A5678022346CAF97073A2
                                                                                                                                                                                                  SHA-256:17A1AC7FD38F237E082792A5E1B7DE92A8EB54F785A053F2F0D6D01703CCF2D7
                                                                                                                                                                                                  SHA-512:538E29A5B1E23EA60950AB20BB2AF1B7E3AABC8D694225EE3959EDD70393723D95EAD1E76CFFABE7E0723F368AF27C27CCF53F94F9CD4BBCE229089CC5C774F2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O..............h.......j.q.....k.....e......e......e.......zR........._...h......h.f.............h......Rich....................PE..L......W............................l........0....@.......................................@....................................P.......x................S......T.......p...............................@............0..$............................text............................... ..`.rdata...k...0...l..................@..@.data...............................@....gfids..............................@..@.rsrc...x...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbs

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2903
                                                                                                                                                                                                  Entropy (8bit):4.900542158148091
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:KDozOLwQ5W/Imgai9dgaijvgEiBP93iNaiBpaiB2EiBO3i3aenaeiEJg37Baevaf:KQxeeIm5i9d5ijvpiBPhiIiBkiB7iB8W
                                                                                                                                                                                                  MD5:310A042DCA2144C9CDA556E9BC4B0C02
                                                                                                                                                                                                  SHA1:D2032AF7EEA0DBD027A36E577567E85486496949
                                                                                                                                                                                                  SHA-256:CAA82E59CA92629057791CB1E0BA0B74C90F561FAC81B029033FC081A83431B0
                                                                                                                                                                                                  SHA-512:843D9F6F300CABA8DF41511473C43F4D5029FA0012E593677C83F196C8D595194D1409069FB4B8616E0118F37BA943BBE656B29DE40F0AD70997AB610FD98DB8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:' Notes: wanted to implement this using a class but:.' 1. No matter what I did I could not assign the result of GetObject to a private member.' 2. It looks as if all methods were treated as subs from the outside world which is not good since .' some of these need to return a value.'..Set private_oReg = GetObject("winmgmts:\root\default:StdRegProv")....Function SetStringValue(constHive, strSubKey, strValueName, strValue)...SetStringValue = private_oReg.SetStringValue(constHive, strSubKey, strValueName, strValue)..End Function..Sub GetStringValue(constHive, strKey, strValueName, strValue)..private_oReg.GetStringValue constHive, strKey, strValueName, strValue.End Sub..Function SetExpandedStringValue(constHive, strSubKey, strValueName, strValue)..SetExpandedStringValue = private_oReg.SetExpandedStringValue(constHive, strSubKey, strValueName, strValue).End Function..Sub GetExpandedStringValue(constHive, strKey, strValueName, strValue)..private_oReg.GetExpandedStringValue constHive, strKey,

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbs

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):8639
                                                                                                                                                                                                  Entropy (8bit):5.069544854640392
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:KQHS6Su0ECBgJOBSrBExBu1B7UBcxAvBHc2GB3XzB3/5BvtdBv+cB3uxYvBvdH4:K3FxECBqOBSrBExBu1B7UBcxAvBHc2GC
                                                                                                                                                                                                  MD5:EE5AF2ED3DD0D9EFBCD172026BDD7260
                                                                                                                                                                                                  SHA1:FCEB14612CD086A3E285B5E137B0652E8603B354
                                                                                                                                                                                                  SHA-256:6786FE4E7F09D2266678E2BEAEC09C5BC7FEA8BBB2C34033F37A2A4F3779EFC9
                                                                                                                                                                                                  SHA-512:B166E68FD6D17D8029B8A2CB3B0ED14CE71B3C607D5182F10E05C7F4D8ECF76300034835670031E283F54FA3FB5DBC165E1AD9A4120140C3FEF98A34D834250E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:' Notes: wanted to implement this using a class but:.' 1. No matter what I did I could not assign the result of GetObject to a private member.' 2. It looks as if all methods were treated as subs from the outside world which is not good since .' some of these need to return a value..' should be removed when migration is complete.Set private_oReg = GetObject("winmgmts:\root\default:StdRegProv")....Set private_oCtx = CreateObject("WbemScripting.SWbemNamedValueSet").private_oCtx.Add "__ProviderArchitecture", CInt(OSArchitecture)..Set private_oLocator = CreateObject("Wbemscripting.SWbemLocator").Set private_oServices = private_oLocator.ConnectServer(".", "root\default","","",,,,private_oCtx).Set private_oRegSpecific = private_oServices.Get("StdRegProv") ..Function CheckAccess(hDefKey,sSubKeyName,uRequired, bGranted )...Set Inparams = private_oRegSpecific.Methods_("CheckAccess").Inparameters....Inparams.hDefKey = hDefKey....Inparams.sSubKeyName = sSubKeyName....Inparams.uRequired = uRequired

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\JsonSafeTest.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):217
                                                                                                                                                                                                  Entropy (8bit):4.958838262797446
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:SPjDTxAAAbv1V1O9KTWX/HLAqV1O9KNssWQbyMCtHVEQvIf9HHblaDdcK7L0PU:yHgv1e/Eq3JCLLvi9QDl4PU
                                                                                                                                                                                                  MD5:B2F8FFF6092358229A94CC309AB6C11B
                                                                                                                                                                                                  SHA1:E4C29B96408D58D9196AD971CABC50D05BC94C4C
                                                                                                                                                                                                  SHA-256:C2FAB2EB9137FEB5CE29833D58690A0735703A0BD2F38538061758B47A44105F
                                                                                                                                                                                                  SHA-512:A1DAE465D9B9BA874D1497485E08D83471D3B97CF1143DCEE6CBC24C0121BB6F1FBBB8AFF66239AAE46AC0B8451FAFB1CF7E7A989493B9F91423DD76756AAD7F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<job id="JsonSafeStreamTest">..<script language="VBScript" src="util.vbs" />..<script language="VBScript">.....str = """" & vbcrlf & "..\"...Write("{ ""a"": """ & JsonSafe(str) & """}" & vbcrlf)..</script>.</job>.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regCreateKey.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):775
                                                                                                                                                                                                  Entropy (8bit):5.103736648548187
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:rrAkRe8qeYjqD7q3mPeHsq81lMWe2hqrFG5G50dOd9yMoP2usRc0NHcR1JTslng5:rlR9q7qvAmwb86EcI72usvcPxseHld4C
                                                                                                                                                                                                  MD5:04E6D736DDA6EEC814E5BFF7121A695C
                                                                                                                                                                                                  SHA1:BCD113F9B374F977A81E52F1BE21C35E9C815C74
                                                                                                                                                                                                  SHA-256:44201185E05845FEF8B56BA9CEA0194EDFFD89D0465B86E055292F84F19526C0
                                                                                                                                                                                                  SHA-512:6DB255F72129F080DD259A3E7603CD1C21702A8810454C7935AFFE9A9F443A221A614A39CBFECFDE1B2E13523992BBC8C222A0D763C018BC4EA10FDA0CBFB468
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<job id="createKeyStream">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">....CheckZeroArgs("usage: cscript regCreateKey.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()....Do While Not stdin.AtEndOfLine....strLine = stdin.ReadLine().......strLine = unescape(trim(strLine)).....If IsNull(strLine) or strLine = "" Then.....WScript.Quit 25127....End If........ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122....End If.....Result = CreateKey(constHive, strSubKey).....If Not Result = 0 Then.........WScript.Quit Result....End If...Loop..</script>.</job>

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regDeleteKey.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):695
                                                                                                                                                                                                  Entropy (8bit):5.08983740554656
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:ae8qeYjqD7q3iHsq81lMWe2hqrFGEFG40dOd9w5c0NHcR1JTsquaOlAo4C:a9q7qvAkb86EcgNncPxsfHld4C
                                                                                                                                                                                                  MD5:82BD86D76A25E9D3BC5E7FFB15311B16
                                                                                                                                                                                                  SHA1:F749B997B38DE6DF0F06380049E0CC370BD633CC
                                                                                                                                                                                                  SHA-256:3DB8EE7F2056D79A97FAFDCC7369867E7B49ECAA58B7C6AD442BE858E1DCC6C2
                                                                                                                                                                                                  SHA-512:EB1876453AEEA894E0C99314F20D54883E45AA29A9305E3A1CFC55187BF9A4ABF299D955A7EE8F53F6480A10CDC803E3464759E01B330F93264892FC999823BB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<job id="deleteKey">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">....CheckZeroArgs("usage: cscript regDeleteKey.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()....Do While Not stdin.AtEndOfLine........strLine = stdin.ReadLine()....strLine = unescape(trim(strLine)).......ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122 ....End If.....Result = DeleteKey(constHive, strSubKey).....If Not Result = 0 Then.........WScript.Quit Result....End If...Loop..</script>.</job>

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regList.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):985
                                                                                                                                                                                                  Entropy (8bit):5.201314794064873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:3AgreMToW9q7qdAaxgw86EMVcw7WcPKWWsyA4C:3AyeMTh9q7qRb8jMVX7WnWVyLC
                                                                                                                                                                                                  MD5:CAE7DB4194DE43346121A463596E4F4F
                                                                                                                                                                                                  SHA1:F72843FA7E2A8D75616787B49F77B4380367FF26
                                                                                                                                                                                                  SHA-256:B65C5AF7DBEB43C62F6A5528AF6DB3CB1CA2A71735A8E7A1451796F834E355C2
                                                                                                                                                                                                  SHA-512:CCEE660CC4878301C743D3EBDE4557DC180D8B6F77C97DE5E36C95F6E4D2446EF7BE28EBC787FDEA2F2D817890AC7BDB713196C755A51677DC127CCE77670026
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:' .'.Lists the sub keys and values of a given registry key.'.'.cscript regList.wsg HKLM\Software.'.'.Will Yield:.'.'.{.'.."hklm\software": { .'..."keys": [ .. array of sub keys .. ], .'..."values": { .'...."moo": { .'....."type": "REG_SZ", .'....."value": "bar".'....}.'...}.'..}.'.}.<job id="list">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">.....CheckZeroArgs("usage: cscript regList.wsf architecture regpath1 [regpath2] ... [regpathN]")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture().....Write "{"...For v = 1 To args.Count - 1....if (v > 1) Then.....Write ","....End If........Write """" & JsonSafe(args(v)) & """: "........ParseHiveAndSubKey args(v), constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & args(v).....WScript.Quit 25122 ....End If.....ListChildrenAsJson constHive, strSubKey...Next...Write "}"..</script>.</job>

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regListStream.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1095
                                                                                                                                                                                                  Entropy (8bit):5.116448046938126
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:3AgrlLcMToW9q7qdAab86EWNncPxsPV4C:3AylcMTB9q7qRb8jmnXP6C
                                                                                                                                                                                                  MD5:EE5A8DDC32D31C4088EA5E15A5076D6A
                                                                                                                                                                                                  SHA1:0C8667D5899B7924994D39C8B887A2EBC9B50A79
                                                                                                                                                                                                  SHA-256:D482B452AF9DA79C27DB2341891841EC4CFC1D18D5685778DDDA97F082F313EC
                                                                                                                                                                                                  SHA-512:B4EAD3A4CF5AAD1A88F9D24E5DD9A7418511441A3AD23634102CB8EB7871B10C2720368F6912478F6DC1C627FC051FB2C81B9B4C0F54A5D50301EB324B437C99
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:' .'.Lists the sub keys and values of a given registry key, this script is slightly different.'.than regList because it reads stdin for the keys to list.'.'.cscript regList.wsg HKLM\Software.'.'.Will Yield:.'.'.{.'.."hklm\software": { .'..."keys": [ .. array of sub keys .. ], .'..."values": { .'...."moo": { .'....."type": "REG_SZ", .'....."value": "bar".'....}.'...}.'..}.'.}.<job id="listStream">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">.....CheckZeroArgs("usage: cscript regList.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()......Do While Not stdin.AtEndOfLine.....strLine = stdin.ReadLine()....strLine = unescape(trim(strLine)).......ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122 ....End If.....Write "{ ""key"" : """ & JsonSafe(strLine) & """, ""data"

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regPutValue.wsf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1315
                                                                                                                                                                                                  Entropy (8bit):5.205855538505303
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:ap9q7qwRGecpABO+86EKSrNm2uskzrUSF0PgpQsa7+AShhsdSMaFGSoYai64MPSw:ap9q7q/ecm8j9m2N+Q8a7yhsdxYai64q
                                                                                                                                                                                                  MD5:41E0AD02B82C3DC024B68D95C98EA10D
                                                                                                                                                                                                  SHA1:956116C92C52AEA91CFCAB3CE331F9EC27F27F7C
                                                                                                                                                                                                  SHA-256:F25A275CC00918AB1633F9026E66FF194A43D843D799F3EDF52D527F7D3209D8
                                                                                                                                                                                                  SHA-512:8BAC8BB56E8825F31F774977A2BCCE769196DCA8093C43A11737B581786D57F4808D3FE97262E062AAF41594C46A320F1065E5726374B66F2FA577CDE8F07F5F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<job id="putValue">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">...usage = "usage: cscript regPutValue.wsf architecture" & vbNewLine _......& "types: REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_MULTI_SZ, REG_QWORD".....CheckZeroArgs(usage)...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()......ReadCount = 0...Dim lineArgs(3)....Do While Not stdin.AtEndOfLine....strLine = stdin.ReadLine()....strLine = unescape(trim(strLine))........If IsNull(strLine) or strLine = "" Then.....WScript.Quit 25127....End If.....lineArgs(ReadCount) = strLine........ReadCount = ReadCount + 1.....If ReadCount = 4 Then......ParseHiveAndSubKey lineArgs(0), constHive, strSubKey..........if IsNull(constHive) Then......WriteLineErr "unsupported hive " & lineArgs(0)......WScript.Quit 25122.....End If......strValueName = lineArgs(1).....strValue = lineArgs(2).....strType = lineArgs(3)..........Result = Put

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\regUtil.vbs

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):8106
                                                                                                                                                                                                  Entropy (8bit):5.258136673571623
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:uL5OpODtmFCuOFRO5OL+TTrXzySl2lOcoiRebCULcvBJW5fdrLWYKdrehvp4v5vI:uL52GMFd0c58+TTrXzrskc/q/LaBY5f3
                                                                                                                                                                                                  MD5:77E85AA761F75466E78CE420FDF67A31
                                                                                                                                                                                                  SHA1:4470BD4D215D7682828CBC5F7F64993C078B2CAA
                                                                                                                                                                                                  SHA-256:350DEA3D6C8E65372F8D12A5FD92A3A46A7519610C69564E8185A2ED66B00D59
                                                                                                                                                                                                  SHA-512:50AF664777545CED78C34A6EA35DAE542FDB85B8B307A4A4A95DB25A808A695D3FE8840EDB36325279C2381FBAE071F6B509F7491185CEF2F42AFCB7672CFD13
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:' TODO: consider incorporating a json writer of some sort instead of adhoc solution like the following.' e.g: http://demon.tw/my-work/vbs-json.html..const HKEY_CLASSES_ROOT = &H80000000.const HKEY_CURRENT_USER = &H80000001.const HKEY_LOCAL_MACHINE = &H80000002.const HKEY_USERS = &H80000003.const HKEY_CURRENT_CONFIG = &H80000005..Sub LoadRegistryImplementationByOSArchitecture()..If IsNull(OSArchitecture) Then...WriteLineErr "missing OSArchitecture global. did not call util.DetermineOSArchitecture? or Forgot to load util.vbs?"...WScript.Quit 25125....End If...If OSArchitecture = "A" Then...Include "ArchitectureAgnosticRegistry.vbs"..Else...Include "ArchitectureSpecificRegistry.vbs"..End If.End Sub ..Function PutValue(constHive, strSubKey, strValueName, strValue, strType)..Select Case UCase(strType)......Case "REG_SZ"....PutValue = SetStringValue(constHive, strSubKey, strValueName, strValue)....Case "REG_EXPAND_SZ"....PutValue = SetExpandedStringValue(constHive, strSubKey, strValueName, s

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\util.vbs

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4150
                                                                                                                                                                                                  Entropy (8bit):5.218396921355448
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:o+fVSqeeysrTAo+rx86QK1yP6tsB1f0Or:npUxd8EyP6tiz
                                                                                                                                                                                                  MD5:E2BE267C02D51DF566FA726FC8AA075A
                                                                                                                                                                                                  SHA1:C9B9AE17F36E23D5D3CBBF2D6F17A954BFA87D24
                                                                                                                                                                                                  SHA-256:B2EFD5E0C2F695063A8BCE40C8182AA70F33C4B1B77D232B7530D89FB9646F0C
                                                                                                                                                                                                  SHA-512:B6F80622A9F61F636F7786D91A1B9E06A64602F0898425E90A1A696D0A4855C8C08CBD6E6B98B9A3A1A24DE354B26260247953B5273F7D57EA87294B4B142E8A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Set stdout = WScript.StdOut.Set stderr = WScript.StdErr.Set stdin = WScript.StdIn.Set args = WScript.Arguments.Set fs = CreateObject("scripting.filesystemobject") .Dim OSArchitecture..Sub WriteErr(message)..stderr.Write message.End Sub..Sub WriteLineErr(message)..stderr.WriteLine message.End Sub..Sub Write(message)..stdout.Write message.End Sub..Sub WriteLine(message)..stdout.WriteLine message.End Sub..Function IndexOf(varNeedle, arrHaystack)..IndexOf = -1....If Not IsArray(arrHaystack). Then...Exit Function..End If...For xyz = 0 To UBound(arrHaystack)...If arrHaystack(xyz) = varNeedle Then....IndexOf = xyz....Exit Function...End If..Next.End Function..Sub CheckZeroArgs(message)..' bail if args are missing..If args.Count = 0 Then...WriteLineErr message...WScript.Quit 25121..End If.End Sub..Dim ALLOWED_OS_ARCHITECTURE_VALUES: ALLOWED_OS_ARCHITECTURE_VALUES = Array("S", "A", "32", "64")..'.'.determine the architecture of the operating system, that will be used. there are 4 possibilities:

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\snapshot_blob.bin

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):306214
                                                                                                                                                                                                  Entropy (8bit):4.392850925698206
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:ogusbBDoCIdRSt25iD1Z3yAcCLi9wfuwWMvDdkbMzaQ:ogus9oCM9OUYffnWYWbIF
                                                                                                                                                                                                  MD5:AEDD1B80A8140B94C00DB3C0B9485772
                                                                                                                                                                                                  SHA1:2DC8444E599438ED37A31EBFE7F8859AF7FAC631
                                                                                                                                                                                                  SHA-256:C1DA41052ABE31791AE90A9DBE54442A641E1ECBB018EF35C44E7AED05B8F72E
                                                                                                                                                                                                  SHA-512:3E06CB550F46285D8DC81D1F082732C07E9C9D81ABE931E859262C7BA699D4EB9737581F5A5C5174E09BB0FC0561A9DE46298714CED38F453F922F9536C67D0C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:...............12.2.281.27-electron.0..........................................8L..N...........$....K..a........a........a2.......ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\v8_context_snapshot.bin

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):679161
                                                                                                                                                                                                  Entropy (8bit):5.217457437935302
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:m/h8ML2Zu/Bg90Ws9oCM9Otxh6vtDINPbIgTtLAkW/cB2Z0JZkQXEzBO+lZ:myMSZu/Bg90BuCzIP/+2ZGZazJlZ
                                                                                                                                                                                                  MD5:0C259ECBB12E6F3F0E076E6200221489
                                                                                                                                                                                                  SHA1:3DE53DCAFDCE24C151DD1812769B46ACEA77C90C
                                                                                                                                                                                                  SHA-256:83A8345EA197020E07FE2CF53E74F31D0CC632CA1537F5C9C1DB2FB2665AB04F
                                                                                                                                                                                                  SHA-512:6EF39EE8B7D40C5E6C0E79F8C4E846D431A6A87711D025122E2E7F060C5754FFF917771D5EDE6ADEC3BE909FB5CE0E8EB1DF5E18142ECDB6339BDDE8CE2C8398
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:........a. ..?h12.2.281.27-electron.0..................................................................$...x...a........a........a........ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vk_swiftshader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5312000
                                                                                                                                                                                                  Entropy (8bit):6.364537003040197
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:YL1wrvfRIQkXfBe1IlA8gE+LGHEYXb3GNfsUd9QjqZztkJCP1pSN6WxHEmp+DnnV:81w7weOqiFIYBgTE
                                                                                                                                                                                                  MD5:8FE00EBE76542263463877F27417EC61
                                                                                                                                                                                                  SHA1:763502E57A3C4FBE5FC25EE7E9C942D94505D244
                                                                                                                                                                                                  SHA-256:46AFB1ED7AB1B1A679E00784B2E78CC2358CEC615553699624FF77882F55787B
                                                                                                                                                                                                  SHA-512:62B375B40EEDF04D03D8465570634B56D529E9525BD6D81BE94B40C7DA21CCCAA808BE97649F9404DED9EDD5CE129F9FB1D462C6A1986A25FA8A228857CDA5A2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .....n@...........:.......................................R...........`A.........................................sL.......L.P.....Q......0P..^............R.t~...0L.....................x/L.(...@.@.@........... .L.P............................text....m@......n@................. ..`.rdata........@......r@.............@..@.data........pM......ZM.............@....pdata...^...0P..`....N.............@..@.gxfg....-....Q......TP.............@..@.retplne......Q.......P..................tls....Y.....Q.......P.............@..._RDATA..\.....Q.......P.............@..@.rsrc.........Q.......P.............@..@.reloc..t~....R.......P.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vk_swiftshader_icd.json

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):106
                                                                                                                                                                                                  Entropy (8bit):4.724752649036734
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                                  MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                  SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                  SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                  SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\vulkan-1.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):954368
                                                                                                                                                                                                  Entropy (8bit):6.588968362833733
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:CkMYSDIukxvnwhdzY96Z5WiDYsH56g3P0zAk7lE1:Cku0fwhC96Z5WiDYsH56g3P0zAk7l
                                                                                                                                                                                                  MD5:D8F31216785E204DA9BAD10E9F3734B7
                                                                                                                                                                                                  SHA1:BE7F53566DBAEC5DBE61AFC76BF7401CFC42EF08
                                                                                                                                                                                                  SHA-256:FA6B4E20EB448746E2EFF9A7FDE7A62585E371F3497A6A928EADE0A8CE8C1A9F
                                                                                                                                                                                                  SHA-512:D7EF5EF7ED9B5559E107369849ADCD18FB9C9C3A90033731A46C4B5D3BA431582936E54E5B5918CE19A667B3F1EB369A93BC3F9A03DF8E5397E5F80DC21A61A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......................................................... ............`A............................................<!...3..P............ ..Xq..............(...,...........................(...@...@............8...............................text...{........................... ..`.rdata..............................@..@.data...pL......."..................@....pdata..Xq... ...r..................@..@.gxfg...P).......*...N..............@..@.retplne.............x...................tls.................z..............@..._RDATA..\............|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SpiderBanner.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):9216
                                                                                                                                                                                                  Entropy (8bit):5.5347224014600345
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
                                                                                                                                                                                                  MD5:17309E33B596BA3A5693B4D3E85CF8D7
                                                                                                                                                                                                  SHA1:7D361836CF53DF42021C7F2B148AEC9458818C01
                                                                                                                                                                                                  SHA-256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
                                                                                                                                                                                                  SHA-512:1ABAC3CE4F2D5E4A635162E16CF9125E059BA1539F70086C2D71CD00D41A6E2A54D468E6F37792E55A822D7082FB388B8DFECC79B59226BBB047B7D28D44D298
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../../../..Wy./../../....../..Wi./..Wx./..W~./..W{./..Rich./..................PE..L...T{mW...........!................p!.......0...............................p............@..........................5..o...l1..P....P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....rsrc........P......................@..@.reloc..d....`....... ..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):102400
                                                                                                                                                                                                  Entropy (8bit):6.729923587623207
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
                                                                                                                                                                                                  MD5:C6A6E03F77C313B267498515488C5740
                                                                                                                                                                                                  SHA1:3D49FC2784B9450962ED6B82B46E9C3C957D7C15
                                                                                                                                                                                                  SHA-256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
                                                                                                                                                                                                  SHA-512:9870C5879F7B72836805088079AD5BBAFCB59FC3D9127F2160D4EC3D6E88D3CC8EBE5A9F5D20A4720FE6407C1336EF10F33B2B9621BC587E930D4CBACF337803
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....C...C...C...C...C...C...C...C...C...C...C...C...C.[.C...C.[.C...C.[.C...C.[.C...CRich...C........................PE..L...I..[...........!.....*...b...............@.......................................+....@..........................}..d....t..........X............................................................................@...............................text....).......*.................. ..`.rdata..TC...@...D..................@..@.data...l............r..............@....rsrc...X............x..............@..@.reloc..j............~..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\System.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):5.719859767584478
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                                                                                                                  MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                                                                                                                  SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                                                                                                                  SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                                                                                                                  SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\app-64.7z

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):78141621
                                                                                                                                                                                                  Entropy (8bit):7.999996239109227
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:1572864:C2um44HiI3Bbzg13iXyBGHG3cv4JW4/KMYAMvJmiftz1Y/g3/trsW9TNd8gUNXE:CTm4vIutyYJo+sUifl1YK/trs1gp
                                                                                                                                                                                                  MD5:C61B218A36D2C1ACF12850705B82FAB7
                                                                                                                                                                                                  SHA1:86D655F287EE48E883D26AF32CE6D2BC2047E72E
                                                                                                                                                                                                  SHA-256:DB93B23692E2305373FBEA8C549C322A583DC68DBDF9941F04B1DD259D3838D1
                                                                                                                                                                                                  SHA-512:378A6FAAF834924E26187097EFBFA314DE3E84532AAB085CB613CE337C3F961BE587D600B4347632BBC57071EA08E0ACB5C9B63C99BB10EF75DCE8A54406B4CC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:7z..'...Nx.xpX......%................]...6....*o[.2.....o......P...&..&..Az-.z.d.].7...,N.?#..<.;9S$.w...).RE.....T..i..j...2.[.E.....7$....0|. ...,.Mo..s...+5..iXz.h....i..E2...xYh4(X...#).F..ik:*....wB......4#.......:~s.F-u...+.....fh.X..+..Kx..^GK.Yd...&...%+...2}...M.y..CY.._.....E%......m.p\........FB.Q:..xW..8.-...J...7N.c..l.rO......?(J$X..=.1.....z+v...cO@. %.d..V.5.*.......^.|#...0....gW..C..K:.l...R...;........Q.uZ{{.xR*. ....k.@...4.[@.(.'.~.0..}"..*P3...r........{o..Y.X....<..'a.P...4Oy.=F....c.2.OT1._.H..C.......8.(u...<bz....u#d....I..m..%.....B.?..#e....t;..H..f....w..^.......7.zf.]s[....=.._6.X8..1(..Ui.:..c.U......a.H.G.pq..a..k$..6.).'.kt:.i.`......"*t.c......Kg.T6~.....i..H.K.o..(..\......=...t.,.xa3.%."...w..x..9..|.5[.}.k......-...BY.[+$d....$g@.....`..b...../?..~...G.....l*r0..g.3i....lqwO4...j..5....A.#.t)..[.XX.I..yS..4."%d.v.... R:O[&IO..g...(.04T......[...O'a..[2h%..++......7.s.a..d...`..T....'./.%.f..#..tg

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsProcess.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4608
                                                                                                                                                                                                  Entropy (8bit):4.703695912299512
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
                                                                                                                                                                                                  MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
                                                                                                                                                                                                  SHA1:B058E3FCFB7B550041DA16BF10D8837024C38BF6
                                                                                                                                                                                                  SHA-256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
                                                                                                                                                                                                  SHA-512:F91FCEA19CBDDF8086AFFCB63FE599DC2B36351FC81AC144F58A80A524043DDEAA3943F36C86EBAE45DD82E8FAF622EA7B7C9B776E74C54B93DF2963CFE66CC7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n}f.L...I...P...@..K...@..H...@..H...RichI...........................PE..L...\..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..d............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa8163.tmp\nsis7z.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):434176
                                                                                                                                                                                                  Entropy (8bit):6.584811966667578
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck
                                                                                                                                                                                                  MD5:80E44CE4895304C6A3A831310FBF8CD0
                                                                                                                                                                                                  SHA1:36BD49AE21C460BE5753A904B4501F1ABCA53508
                                                                                                                                                                                                  SHA-256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
                                                                                                                                                                                                  SHA-512:C8BA7B1F9113EAD23E993E74A48C4427AE3562C1F6D9910B2BBE6806C9107CF7D94BC7D204613E4743D0CD869E00DAFD4FB54AAD1E8ADB69C553F3B9E5BC64DF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.6a..X2..X2..X2m.[3..X2m.]3..X2Z.]3+.X2Z.\3..X2Z.[3..X2m.\3..X2m.Y3..X2..Y2..X2..\3#.X2..]3..X2..X3..X2...2..X2...2..X2..Z3..X2Rich..X2........PE..L.....\...........!......................... ...............................@............@..........................6.......7..d................................E.....................................@............ ...............................text............................... ..`.rdata..8"... ...$..................@..@.data........P... ...6..............@....rsrc................V..............@..@.reloc...E.......F...Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsbD58.tmp\nsExec.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\nsf193E.tmp\System.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\nsf193E.tmp\nsExec.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\nsh1036.tmp\System.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\Temp\nsh1036.tmp\nsExec.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7
                                                                                                                                                                                                  Entropy (8bit):2.2359263506290326
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:t:t
                                                                                                                                                                                                  MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                                                                                                                                                  SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                                                                                                                                                  SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                                                                                                                                                  SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:Ok.....

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                  Entropy (8bit):7.999108240757062
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                  File name:Collaboration-x64.exe
                                                                                                                                                                                                  File size:104'457'632 bytes
                                                                                                                                                                                                  MD5:335fe577cfcd7c2e3d62ca7ae6c92b8f
                                                                                                                                                                                                  SHA1:e025f1c339ac4f39134283cb7dff0a2b48e5be6b
                                                                                                                                                                                                  SHA256:7b999bd912a71a10f056eb8052a0475efdff781a15b94606138c6525c60665cb
                                                                                                                                                                                                  SHA512:9b26716ae526e67675eca053a4a8c066de26d0c3c710f646d005cea722b44d11b4686d6ba21cd45b92fded415fd24660a0e24cda8493281e9af5f5d9fc480fb1
                                                                                                                                                                                                  SSDEEP:3145728:/bTm4vIutyYJo+sUifl1YK/trs1goiLWMKm+KdnF:TC4noYJox19/3zLWMKBcF
                                                                                                                                                                                                  TLSH:093833685AB0813FF8169B35613807D9913BADFC9A3ACE531418F3D8FB332E0654A597
                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:1361acaa96d4610f

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x40338f
                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                  Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                  Signature Valid:true
                                                                                                                                                                                                  Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                  Error Number:0
                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                  • 08/11/2024 07:02:16 08/11/2027 07:02:15
                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                  • CN=Wildix O\xdc, O=Wildix O\xdc, STREET="Laeva tn., 2", PostalCode=10111, L=Tallinn, S=Harju maakond, C=EE, SERIALNUMBER=12915667, OID.1.3.6.1.4.1.311.60.2.1.1=Tartu, OID.1.3.6.1.4.1.311.60.2.1.2=Tartu maakond, OID.1.3.6.1.4.1.311.60.2.1.3=EE, OID.2.5.4.15=Private Organization
                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                  Thumbprint MD5:8D242122DFF67487607F2D0420C749C0
                                                                                                                                                                                                  Thumbprint SHA-1:2DA714C0EA5669329B9CB729381362B9741E2F0F
                                                                                                                                                                                                  Thumbprint SHA-256:BB6DCF27CB6D1C9AA885B52FEF8532723B899FC11E7527553389E40571B11117
                                                                                                                                                                                                  Serial:7625A04AF8C3CA38783A5126728CA6F5

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  sub esp, 000002D4h
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  push edi
                                                                                                                                                                                                  push 00000020h
                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                  xor ebx, ebx
                                                                                                                                                                                                  push 00008001h
                                                                                                                                                                                                  mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                  mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                  call dword ptr [004080A8h]
                                                                                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                                                                                  cmp ax, 00000006h
                                                                                                                                                                                                  mov dword ptr [0047AEECh], eax
                                                                                                                                                                                                  je 00007F9358823B43h
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  call 00007F9358826DF5h
                                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                                  je 00007F9358823B39h
                                                                                                                                                                                                  push 00000C00h
                                                                                                                                                                                                  call eax
                                                                                                                                                                                                  mov esi, 004082B0h
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  call 00007F9358826D6Fh
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  call dword ptr [00408150h]
                                                                                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                  cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                  jne 00007F9358823B1Ch
                                                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                                                  call 00007F9358826DC8h
                                                                                                                                                                                                  push 00000008h
                                                                                                                                                                                                  call 00007F9358826DC1h
                                                                                                                                                                                                  push 00000006h
                                                                                                                                                                                                  mov dword ptr [0047AEE4h], eax
                                                                                                                                                                                                  call 00007F9358826DB5h
                                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                                  je 00007F9358823B41h
                                                                                                                                                                                                  push 0000001Eh
                                                                                                                                                                                                  call eax
                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                  je 00007F9358823B39h
                                                                                                                                                                                                  or byte ptr [0047AEEFh], 00000040h
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  call dword ptr [00408044h]
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  call dword ptr [004082A0h]
                                                                                                                                                                                                  mov dword ptr [0047AFB8h], eax
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                  push 000002B4h
                                                                                                                                                                                                  push eax
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  push 00440208h
                                                                                                                                                                                                  call dword ptr [00408188h]
                                                                                                                                                                                                  push 0040A2C8h

                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x19f0000x5c8e8.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x63992880x5318
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000x66270x68007618d4c0cd8bb67ea9595b4266b3a91fFalse0.6646259014423077data6.450282348506287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rdata0x80000x14a20x1600eecac1fed9cc6b447d50940d178404d8False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0xa0000x70ff80x600db8f31a08a2242d80c29e1f9500c6527False0.5182291666666666data4.037117731448378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .ndata0x7b0000x1240000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .rsrc0x19f0000x5c8e80x5ca00a25e41886483ff1ac2dc440641bf81ebFalse0.1160883729757085data2.731818245670535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  RT_ICON0x19f5980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States0.09041482971861407
                                                                                                                                                                                                  RT_ICON0x1e15c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.14447533420087544
                                                                                                                                                                                                  RT_ICON0x1f1de80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.2112659423712801
                                                                                                                                                                                                  RT_ICON0x1f60100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.26441908713692946
                                                                                                                                                                                                  RT_ICON0x1f85b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.36890243902439024
                                                                                                                                                                                                  RT_ICON0x1f96600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.5726950354609929
                                                                                                                                                                                                  RT_DIALOG0x1f9ac80x202dataEnglishUnited States0.4085603112840467
                                                                                                                                                                                                  RT_DIALOG0x1f9cd00xf8dataEnglishUnited States0.6290322580645161
                                                                                                                                                                                                  RT_DIALOG0x1f9dc80xeedataEnglishUnited States0.6260504201680672
                                                                                                                                                                                                  RT_DIALOG0x1f9eb80x1fadataEnglishUnited States0.40118577075098816
                                                                                                                                                                                                  RT_DIALOG0x1fa0b80xf0dataEnglishUnited States0.6666666666666666
                                                                                                                                                                                                  RT_DIALOG0x1fa1a80xe6dataEnglishUnited States0.6565217391304348
                                                                                                                                                                                                  RT_DIALOG0x1fa2900x1eedataEnglishUnited States0.38866396761133604
                                                                                                                                                                                                  RT_DIALOG0x1fa4800xe4dataEnglishUnited States0.6447368421052632
                                                                                                                                                                                                  RT_DIALOG0x1fa5680xdadataEnglishUnited States0.6422018348623854
                                                                                                                                                                                                  RT_DIALOG0x1fa6480x1eedataEnglishUnited States0.3866396761133603
                                                                                                                                                                                                  RT_DIALOG0x1fa8380xe4dataEnglishUnited States0.6359649122807017
                                                                                                                                                                                                  RT_DIALOG0x1fa9200xdadataEnglishUnited States0.6376146788990825
                                                                                                                                                                                                  RT_DIALOG0x1faa000x1f2dataEnglishUnited States0.39759036144578314
                                                                                                                                                                                                  RT_DIALOG0x1fabf80xe8dataEnglishUnited States0.6508620689655172
                                                                                                                                                                                                  RT_DIALOG0x1face00xdedataEnglishUnited States0.6486486486486487
                                                                                                                                                                                                  RT_DIALOG0x1fadc00x202dataEnglishUnited States0.42217898832684825
                                                                                                                                                                                                  RT_DIALOG0x1fafc80xf8dataEnglishUnited States0.6653225806451613
                                                                                                                                                                                                  RT_DIALOG0x1fb0c00xeedataEnglishUnited States0.6512605042016807
                                                                                                                                                                                                  RT_GROUP_ICON0x1fb1b00x5adataEnglishUnited States0.7666666666666667
                                                                                                                                                                                                  RT_VERSION0x1fb2100x2a8dataEnglishUnited States0.4602941176470588
                                                                                                                                                                                                  RT_MANIFEST0x1fb4b80x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                                  USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.519603968 CET5057953192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.519973993 CET6490753192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.524399042 CET6238653192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.524524927 CET5824653192.168.2.41.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.526361942 CET53505791.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.526990891 CET53649071.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.531347036 CET53582461.1.1.1192.168.2.4
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.532239914 CET53623861.1.1.1192.168.2.4

                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.519603968 CET192.168.2.41.1.1.10x26baStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.519973993 CET192.168.2.41.1.1.10x12ddStandard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.524399042 CET192.168.2.41.1.1.10xf98bStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.524524927 CET192.168.2.41.1.1.10x544cStandard query (0)chrome.cloudflare-dns.com65IN (0x0001)false

                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.526361942 CET1.1.1.1192.168.2.40x26baNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.526361942 CET1.1.1.1192.168.2.40x26baNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.526990891 CET1.1.1.1192.168.2.40x12ddNo error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.531347036 CET1.1.1.1192.168.2.40x544cNo error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.532239914 CET1.1.1.1192.168.2.40xf98bNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 17:37:44.532239914 CET1.1.1.1192.168.2.40xf98bNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false

                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:11:36:09
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Collaboration-x64.exe"
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:104'457'632 bytes
                                                                                                                                                                                                  MD5 hash:335FE577CFCD7C2E3D62CA7AE6C92B8F
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                  Start time:11:36:44
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
                                                                                                                                                                                                  Imagebase:0x1560000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                  Start time:11:36:44
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                  Start time:11:36:45
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                  Start time:11:36:45
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                  Start time:11:36:45
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /delete /TN "Wildix\WIService failed update recovery" /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                  Start time:11:36:46
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                  Start time:11:36:47
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x7ff71e800000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                  Start time:11:36:48
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                                  Imagebase:0x140000
                                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                                  Start time:11:36:49
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:68
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:69
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:70
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:71
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:72
                                                                                                                                                                                                  Start time:11:36:50
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:73
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:74
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:75
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:76
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:77
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:78
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:79
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:80
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:81
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:82
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:83
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:84
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:85
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:86
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:87
                                                                                                                                                                                                  Start time:11:36:51
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:88
                                                                                                                                                                                                  Start time:11:36:52
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x7ff72bec0000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:89
                                                                                                                                                                                                  Start time:11:36:52
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:90
                                                                                                                                                                                                  Start time:11:36:52
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:91
                                                                                                                                                                                                  Start time:11:36:53
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:92
                                                                                                                                                                                                  Start time:11:36:53
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:93
                                                                                                                                                                                                  Start time:11:36:53
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:94
                                                                                                                                                                                                  Start time:11:36:55
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:95
                                                                                                                                                                                                  Start time:11:36:55
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:96
                                                                                                                                                                                                  Start time:11:36:55
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:97
                                                                                                                                                                                                  Start time:11:36:55
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:98
                                                                                                                                                                                                  Start time:11:36:56
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:99
                                                                                                                                                                                                  Start time:11:36:56
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm" "C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll" /silent /codebase
                                                                                                                                                                                                  Imagebase:0x2a1f9380000
                                                                                                                                                                                                  File size:65'168 bytes
                                                                                                                                                                                                  MD5 hash:A4EB36BAE72C5CB7392F2B85609D4A7E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:100
                                                                                                                                                                                                  Start time:11:36:56
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:101
                                                                                                                                                                                                  Start time:11:36:56
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                                  Imagebase:0x6e0000
                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:102
                                                                                                                                                                                                  Start time:11:36:58
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter
                                                                                                                                                                                                  Imagebase:0x7ff7748e0000
                                                                                                                                                                                                  File size:16'788'080 bytes
                                                                                                                                                                                                  MD5 hash:D62710F3678538E483FFC7EA112D7F68
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:103
                                                                                                                                                                                                  Start time:11:36:59
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                  Imagebase:0x7ff646ff0000
                                                                                                                                                                                                  File size:842'752 bytes
                                                                                                                                                                                                  MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:104
                                                                                                                                                                                                  Start time:11:36:59
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                                  Imagebase:0x7ff6335e0000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:105
                                                                                                                                                                                                  Start time:11:36:59
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:111
                                                                                                                                                                                                  Start time:11:36:59
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:121
                                                                                                                                                                                                  Start time:11:37:00
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:126
                                                                                                                                                                                                  Start time:11:37:01
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:131
                                                                                                                                                                                                  Start time:11:37:01
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x260000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:141
                                                                                                                                                                                                  Start time:11:37:01
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:183
                                                                                                                                                                                                  Start time:11:37:04
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:323
                                                                                                                                                                                                  Start time:11:37:36
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:28%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:21.3%
                                                                                                                                                                                                    Total number of Nodes:1389
                                                                                                                                                                                                    Total number of Limit Nodes:42
                                                                                                                                                                                                    execution_graph 3023 4015c1 3042 402c41 3023->3042 3027 401631 3029 401663 3027->3029 3030 401636 3027->3030 3032 401423 24 API calls 3029->3032 3066 401423 3030->3066 3039 40165b 3032->3039 3037 40164a SetCurrentDirectoryW 3037->3039 3038 4015d1 3038->3027 3040 401617 GetFileAttributesW 3038->3040 3054 405bbc 3038->3054 3058 40588b 3038->3058 3061 4057f1 CreateDirectoryW 3038->3061 3070 40586e CreateDirectoryW 3038->3070 3040->3038 3043 402c4d 3042->3043 3073 4062dc 3043->3073 3046 4015c8 3048 405c3a CharNextW CharNextW 3046->3048 3049 405c57 3048->3049 3052 405c69 3048->3052 3051 405c64 CharNextW 3049->3051 3049->3052 3050 405c8d 3050->3038 3051->3050 3052->3050 3053 405bbc CharNextW 3052->3053 3053->3052 3055 405bc2 3054->3055 3056 405bd8 3055->3056 3057 405bc9 CharNextW 3055->3057 3056->3038 3057->3055 3111 406694 GetModuleHandleA 3058->3111 3062 405842 GetLastError 3061->3062 3063 40583e 3061->3063 3062->3063 3064 405851 SetFileSecurityW 3062->3064 3063->3038 3064->3063 3065 405867 GetLastError 3064->3065 3065->3063 3120 405322 3066->3120 3069 4062ba lstrcpynW 3069->3037 3071 405882 GetLastError 3070->3071 3072 40587e 3070->3072 3071->3072 3072->3038 3076 4062e9 3073->3076 3074 406534 3075 402c6e 3074->3075 3106 4062ba lstrcpynW 3074->3106 3075->3046 3090 40654e 3075->3090 3076->3074 3078 406502 lstrlenW 3076->3078 3079 4062dc 10 API calls 3076->3079 3082 406417 GetSystemDirectoryW 3076->3082 3084 40642a GetWindowsDirectoryW 3076->3084 3085 40654e 5 API calls 3076->3085 3086 4062dc 10 API calls 3076->3086 3087 4064a5 lstrcatW 3076->3087 3088 40645e SHGetSpecialFolderLocation 3076->3088 3099 406188 3076->3099 3104 406201 wsprintfW 3076->3104 3105 4062ba lstrcpynW 3076->3105 3078->3076 3079->3078 3082->3076 3084->3076 3085->3076 3086->3076 3087->3076 3088->3076 3089 406476 SHGetPathFromIDListW CoTaskMemFree 3088->3089 3089->3076 3096 40655b 3090->3096 3091 4065d6 CharPrevW 3093 4065d1 3091->3093 3092 4065c4 CharNextW 3092->3093 3092->3096 3093->3091 3094 4065f7 3093->3094 3094->3046 3095 405bbc CharNextW 3095->3096 3096->3092 3096->3093 3096->3095 3097 4065b0 CharNextW 3096->3097 3098 4065bf CharNextW 3096->3098 3097->3096 3098->3092 3107 406127 3099->3107 3102 4061ec 3102->3076 3103 4061bc RegQueryValueExW RegCloseKey 3103->3102 3104->3076 3105->3076 3106->3075 3108 406136 3107->3108 3109 40613a 3108->3109 3110 40613f RegOpenKeyExW 3108->3110 3109->3102 3109->3103 3110->3109 3112 4066b0 3111->3112 3113 4066ba GetProcAddress 3111->3113 3117 406624 GetSystemDirectoryW 3112->3117 3116 405892 3113->3116 3115 4066b6 3115->3113 3115->3116 3116->3038 3118 406646 wsprintfW LoadLibraryExW 3117->3118 3118->3115 3121 40533d 3120->3121 3122 401431 3120->3122 3123 405359 lstrlenW 3121->3123 3126 4062dc 17 API calls 3121->3126 3122->3069 3124 405382 3123->3124 3125 405367 lstrlenW 3123->3125 3128 405395 3124->3128 3129 405388 SetWindowTextW 3124->3129 3125->3122 3127 405379 lstrcatW 3125->3127 3126->3123 3127->3124 3128->3122 3130 40539b SendMessageW SendMessageW SendMessageW 3128->3130 3129->3128 3130->3122 3131 401941 3132 401943 3131->3132 3133 402c41 17 API calls 3132->3133 3134 401948 3133->3134 3137 4059cc 3134->3137 3173 405c97 3137->3173 3140 4059f4 DeleteFileW 3170 401951 3140->3170 3141 405a0b 3146 405b2b 3141->3146 3187 4062ba lstrcpynW 3141->3187 3143 405a31 3144 405a44 3143->3144 3145 405a37 lstrcatW 3143->3145 3189 405bdb lstrlenW 3144->3189 3147 405a4a 3145->3147 3146->3170 3206 4065fd FindFirstFileW 3146->3206 3150 405a5a lstrcatW 3147->3150 3152 405a65 lstrlenW FindFirstFileW 3147->3152 3150->3152 3152->3146 3171 405a87 3152->3171 3155 405b0e FindNextFileW 3159 405b24 FindClose 3155->3159 3155->3171 3156 405984 5 API calls 3158 405b66 3156->3158 3160 405b80 3158->3160 3161 405b6a 3158->3161 3159->3146 3163 405322 24 API calls 3160->3163 3164 405322 24 API calls 3161->3164 3161->3170 3163->3170 3166 405b77 3164->3166 3165 4059cc 60 API calls 3165->3171 3168 406080 36 API calls 3166->3168 3167 405322 24 API calls 3167->3155 3168->3170 3169 405322 24 API calls 3169->3171 3171->3155 3171->3165 3171->3167 3171->3169 3188 4062ba lstrcpynW 3171->3188 3193 405984 3171->3193 3201 406080 MoveFileExW 3171->3201 3212 4062ba lstrcpynW 3173->3212 3175 405ca8 3176 405c3a 4 API calls 3175->3176 3177 405cae 3176->3177 3178 4059ec 3177->3178 3179 40654e 5 API calls 3177->3179 3178->3140 3178->3141 3185 405cbe 3179->3185 3180 405cef lstrlenW 3181 405cfa 3180->3181 3180->3185 3183 405b8f 3 API calls 3181->3183 3182 4065fd 2 API calls 3182->3185 3184 405cff GetFileAttributesW 3183->3184 3184->3178 3185->3178 3185->3180 3185->3182 3186 405bdb 2 API calls 3185->3186 3186->3180 3187->3143 3188->3171 3190 405be9 3189->3190 3191 405bfb 3190->3191 3192 405bef CharPrevW 3190->3192 3191->3147 3192->3190 3192->3191 3213 405d8b GetFileAttributesW 3193->3213 3196 4059b1 3196->3171 3197 4059a7 DeleteFileW 3199 4059ad 3197->3199 3198 40599f RemoveDirectoryW 3198->3199 3199->3196 3200 4059bd SetFileAttributesW 3199->3200 3200->3196 3202 4060a3 3201->3202 3203 406094 3201->3203 3202->3171 3216 405f06 3203->3216 3207 406613 FindClose 3206->3207 3208 405b50 3206->3208 3207->3208 3208->3170 3209 405b8f lstrlenW CharPrevW 3208->3209 3210 405b5a 3209->3210 3211 405bab lstrcatW 3209->3211 3210->3156 3211->3210 3212->3175 3214 405990 3213->3214 3215 405d9d SetFileAttributesW 3213->3215 3214->3196 3214->3197 3214->3198 3215->3214 3217 405f36 3216->3217 3218 405f5c GetShortPathNameW 3216->3218 3243 405db0 GetFileAttributesW CreateFileW 3217->3243 3220 405f71 3218->3220 3221 40607b 3218->3221 3220->3221 3223 405f79 wsprintfA 3220->3223 3221->3202 3222 405f40 CloseHandle GetShortPathNameW 3222->3221 3224 405f54 3222->3224 3225 4062dc 17 API calls 3223->3225 3224->3218 3224->3221 3226 405fa1 3225->3226 3244 405db0 GetFileAttributesW CreateFileW 3226->3244 3228 405fae 3228->3221 3229 405fbd GetFileSize GlobalAlloc 3228->3229 3230 406074 CloseHandle 3229->3230 3231 405fdf 3229->3231 3230->3221 3245 405e33 ReadFile 3231->3245 3236 406012 3239 405d15 4 API calls 3236->3239 3237 405ffe lstrcpyA 3238 406020 3237->3238 3240 406057 SetFilePointer 3238->3240 3239->3238 3252 405e62 WriteFile 3240->3252 3243->3222 3244->3228 3246 405e51 3245->3246 3246->3230 3247 405d15 lstrlenA 3246->3247 3248 405d56 lstrlenA 3247->3248 3249 405d5e 3248->3249 3250 405d2f lstrcmpiA 3248->3250 3249->3236 3249->3237 3250->3249 3251 405d4d CharNextA 3250->3251 3251->3248 3253 405e80 GlobalFree 3252->3253 3253->3230 3450 401e49 3451 402c1f 17 API calls 3450->3451 3452 401e4f 3451->3452 3453 402c1f 17 API calls 3452->3453 3454 401e5b 3453->3454 3455 401e72 EnableWindow 3454->3455 3456 401e67 ShowWindow 3454->3456 3457 402ac5 3455->3457 3456->3457 3962 40264a 3963 402c1f 17 API calls 3962->3963 3971 402659 3963->3971 3964 402796 3965 4026a3 ReadFile 3965->3964 3965->3971 3966 405e33 ReadFile 3966->3971 3968 4026e3 MultiByteToWideChar 3968->3971 3969 402798 3984 406201 wsprintfW 3969->3984 3971->3964 3971->3965 3971->3966 3971->3968 3971->3969 3972 402709 SetFilePointer MultiByteToWideChar 3971->3972 3973 4027a9 3971->3973 3975 405e91 SetFilePointer 3971->3975 3972->3971 3973->3964 3974 4027ca SetFilePointer 3973->3974 3974->3964 3976 405ead 3975->3976 3983 405ec5 3975->3983 3977 405e33 ReadFile 3976->3977 3978 405eb9 3977->3978 3979 405ef6 SetFilePointer 3978->3979 3980 405ece SetFilePointer 3978->3980 3978->3983 3979->3983 3980->3979 3981 405ed9 3980->3981 3982 405e62 WriteFile 3981->3982 3982->3983 3983->3971 3984->3964 3988 4016cc 3989 402c41 17 API calls 3988->3989 3990 4016d2 GetFullPathNameW 3989->3990 3991 40170e 3990->3991 3992 4016ec 3990->3992 3993 401723 GetShortPathNameW 3991->3993 3994 402ac5 3991->3994 3992->3991 3995 4065fd 2 API calls 3992->3995 3993->3994 3996 4016fe 3995->3996 3996->3991 3998 4062ba lstrcpynW 3996->3998 3998->3991 3999 40234e 4000 402c41 17 API calls 3999->4000 4001 40235d 4000->4001 4002 402c41 17 API calls 4001->4002 4003 402366 4002->4003 4004 402c41 17 API calls 4003->4004 4005 402370 GetPrivateProfileStringW 4004->4005 3731 4038d0 3732 4038e8 3731->3732 3733 4038da CloseHandle 3731->3733 3738 403915 3732->3738 3733->3732 3736 4059cc 67 API calls 3737 4038f9 3736->3737 3740 403923 3738->3740 3739 4038ed 3739->3736 3740->3739 3741 403928 FreeLibrary GlobalFree 3740->3741 3741->3739 3741->3741 4006 401b53 4007 402c41 17 API calls 4006->4007 4008 401b5a 4007->4008 4009 402c1f 17 API calls 4008->4009 4010 401b63 wsprintfW 4009->4010 4011 402ac5 4010->4011 4012 401956 4013 402c41 17 API calls 4012->4013 4014 40195d lstrlenW 4013->4014 4015 402592 4014->4015 4016 4014d7 4017 402c1f 17 API calls 4016->4017 4018 4014dd Sleep 4017->4018 4020 402ac5 4018->4020 3845 403d58 3846 403d70 3845->3846 3847 403eab 3845->3847 3846->3847 3848 403d7c 3846->3848 3849 403efc 3847->3849 3850 403ebc GetDlgItem GetDlgItem 3847->3850 3853 403d87 SetWindowPos 3848->3853 3854 403d9a 3848->3854 3852 403f56 3849->3852 3862 401389 2 API calls 3849->3862 3851 404231 18 API calls 3850->3851 3857 403ee6 SetClassLongW 3851->3857 3858 40427d SendMessageW 3852->3858 3878 403ea6 3852->3878 3853->3854 3855 403db7 3854->3855 3856 403d9f ShowWindow 3854->3856 3859 403dd9 3855->3859 3860 403dbf DestroyWindow 3855->3860 3856->3855 3861 40140b 2 API calls 3857->3861 3872 403f68 3858->3872 3863 403dde SetWindowLongW 3859->3863 3864 403def 3859->3864 3915 4041ba 3860->3915 3861->3849 3865 403f2e 3862->3865 3863->3878 3867 403e98 3864->3867 3868 403dfb GetDlgItem 3864->3868 3865->3852 3869 403f32 SendMessageW 3865->3869 3866 4041bc DestroyWindow EndDialog 3866->3915 3875 404298 8 API calls 3867->3875 3873 403e2b 3868->3873 3874 403e0e SendMessageW IsWindowEnabled 3868->3874 3869->3878 3870 40140b 2 API calls 3870->3872 3871 4041eb ShowWindow 3871->3878 3872->3866 3872->3870 3876 4062dc 17 API calls 3872->3876 3872->3878 3887 404231 18 API calls 3872->3887 3890 404231 18 API calls 3872->3890 3906 4040fc DestroyWindow 3872->3906 3877 403e30 3873->3877 3879 403e38 3873->3879 3881 403e7f SendMessageW 3873->3881 3882 403e4b 3873->3882 3874->3873 3874->3878 3875->3878 3876->3872 3880 40420a SendMessageW 3877->3880 3879->3877 3879->3881 3883 403e66 3880->3883 3881->3867 3884 403e53 3882->3884 3885 403e68 3882->3885 3883->3867 3886 40140b 2 API calls 3884->3886 3888 40140b 2 API calls 3885->3888 3886->3877 3887->3872 3889 403e6f 3888->3889 3889->3867 3889->3877 3891 403fe3 GetDlgItem 3890->3891 3892 404000 ShowWindow KiUserCallbackDispatcher 3891->3892 3893 403ff8 3891->3893 3916 404253 KiUserCallbackDispatcher 3892->3916 3893->3892 3895 40402a EnableWindow 3900 40403e 3895->3900 3896 404043 GetSystemMenu EnableMenuItem SendMessageW 3897 404073 SendMessageW 3896->3897 3896->3900 3897->3900 3899 403d39 18 API calls 3899->3900 3900->3896 3900->3899 3917 404266 SendMessageW 3900->3917 3918 4062ba lstrcpynW 3900->3918 3902 4040a2 lstrlenW 3903 4062dc 17 API calls 3902->3903 3904 4040b8 SetWindowTextW 3903->3904 3905 401389 2 API calls 3904->3905 3905->3872 3907 404116 CreateDialogParamW 3906->3907 3906->3915 3908 404149 3907->3908 3907->3915 3909 404231 18 API calls 3908->3909 3910 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3909->3910 3911 401389 2 API calls 3910->3911 3912 40419a 3911->3912 3912->3878 3913 4041a2 ShowWindow 3912->3913 3914 40427d SendMessageW 3913->3914 3914->3915 3915->3871 3915->3878 3916->3895 3917->3900 3918->3902 4021 401f58 4022 402c41 17 API calls 4021->4022 4023 401f5f 4022->4023 4024 4065fd 2 API calls 4023->4024 4025 401f65 4024->4025 4027 401f76 4025->4027 4028 406201 wsprintfW 4025->4028 4028->4027 3919 402259 3920 402c41 17 API calls 3919->3920 3921 40225f 3920->3921 3922 402c41 17 API calls 3921->3922 3923 402268 3922->3923 3924 402c41 17 API calls 3923->3924 3925 402271 3924->3925 3926 4065fd 2 API calls 3925->3926 3927 40227a 3926->3927 3928 40228b lstrlenW lstrlenW 3927->3928 3929 40227e 3927->3929 3931 405322 24 API calls 3928->3931 3930 405322 24 API calls 3929->3930 3932 402286 3929->3932 3930->3932 3933 4022c9 SHFileOperationW 3931->3933 3933->3929 3933->3932 4029 4046db 4030 404711 4029->4030 4031 4046eb 4029->4031 4033 404298 8 API calls 4030->4033 4032 404231 18 API calls 4031->4032 4034 4046f8 SetDlgItemTextW 4032->4034 4035 40471d 4033->4035 4034->4030 3934 40175c 3935 402c41 17 API calls 3934->3935 3936 401763 3935->3936 3937 405ddf 2 API calls 3936->3937 3938 40176a 3937->3938 3939 405ddf 2 API calls 3938->3939 3939->3938 4036 401d5d GetDlgItem GetClientRect 4037 402c41 17 API calls 4036->4037 4038 401d8f LoadImageW SendMessageW 4037->4038 4039 402ac5 4038->4039 4040 401dad DeleteObject 4038->4040 4040->4039 4041 4022dd 4042 4022e4 4041->4042 4045 4022f7 4041->4045 4043 4062dc 17 API calls 4042->4043 4044 4022f1 4043->4044 4046 405920 MessageBoxIndirectW 4044->4046 4046->4045 3254 405461 3255 405482 GetDlgItem GetDlgItem GetDlgItem 3254->3255 3256 40560b 3254->3256 3300 404266 SendMessageW 3255->3300 3258 405614 GetDlgItem CreateThread CloseHandle 3256->3258 3259 40563c 3256->3259 3258->3259 3323 4053f5 OleInitialize 3258->3323 3261 405667 3259->3261 3264 405653 ShowWindow ShowWindow 3259->3264 3265 40568c 3259->3265 3260 4054f2 3269 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3260->3269 3262 405673 3261->3262 3263 4056c7 3261->3263 3266 4056a1 ShowWindow 3262->3266 3267 40567b 3262->3267 3263->3265 3277 4056d5 SendMessageW 3263->3277 3305 404266 SendMessageW 3264->3305 3309 404298 3265->3309 3273 4056c1 3266->3273 3274 4056b3 3266->3274 3306 40420a 3267->3306 3275 405567 3269->3275 3276 40554b SendMessageW SendMessageW 3269->3276 3272 40569a 3279 40420a SendMessageW 3273->3279 3278 405322 24 API calls 3274->3278 3280 40557a 3275->3280 3281 40556c SendMessageW 3275->3281 3276->3275 3277->3272 3282 4056ee CreatePopupMenu 3277->3282 3278->3273 3279->3263 3301 404231 3280->3301 3281->3280 3283 4062dc 17 API calls 3282->3283 3285 4056fe AppendMenuW 3283->3285 3287 40571b GetWindowRect 3285->3287 3288 40572e TrackPopupMenu 3285->3288 3286 40558a 3289 405593 ShowWindow 3286->3289 3290 4055c7 GetDlgItem SendMessageW 3286->3290 3287->3288 3288->3272 3291 405749 3288->3291 3292 4055b6 3289->3292 3293 4055a9 ShowWindow 3289->3293 3290->3272 3294 4055ee SendMessageW SendMessageW 3290->3294 3295 405765 SendMessageW 3291->3295 3304 404266 SendMessageW 3292->3304 3293->3292 3294->3272 3295->3295 3296 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3295->3296 3298 4057a7 SendMessageW 3296->3298 3298->3298 3299 4057d0 GlobalUnlock SetClipboardData CloseClipboard 3298->3299 3299->3272 3300->3260 3302 4062dc 17 API calls 3301->3302 3303 40423c SetDlgItemTextW 3302->3303 3303->3286 3304->3290 3305->3261 3307 404211 3306->3307 3308 404217 SendMessageW 3306->3308 3307->3308 3308->3265 3310 40435b 3309->3310 3311 4042b0 GetWindowLongW 3309->3311 3310->3272 3311->3310 3312 4042c5 3311->3312 3312->3310 3313 4042f2 GetSysColor 3312->3313 3314 4042f5 3312->3314 3313->3314 3315 404305 SetBkMode 3314->3315 3316 4042fb SetTextColor 3314->3316 3317 404323 3315->3317 3318 40431d GetSysColor 3315->3318 3316->3315 3319 404334 3317->3319 3320 40432a SetBkColor 3317->3320 3318->3317 3319->3310 3321 404347 DeleteObject 3319->3321 3322 40434e CreateBrushIndirect 3319->3322 3320->3319 3321->3322 3322->3310 3330 40427d 3323->3330 3325 405418 3329 40543f 3325->3329 3333 401389 3325->3333 3326 40427d SendMessageW 3327 405451 CoUninitialize 3326->3327 3329->3326 3331 404295 3330->3331 3332 404286 SendMessageW 3330->3332 3331->3325 3332->3331 3334 401390 3333->3334 3335 4013fe 3334->3335 3336 4013cb MulDiv SendMessageW 3334->3336 3335->3325 3336->3334 4047 401563 4048 402a6b 4047->4048 4051 406201 wsprintfW 4048->4051 4050 402a70 4051->4050 3337 4023e4 3338 402c41 17 API calls 3337->3338 3339 4023f6 3338->3339 3340 402c41 17 API calls 3339->3340 3341 402400 3340->3341 3354 402cd1 3341->3354 3344 402ac5 3345 402438 3350 402444 3345->3350 3358 402c1f 3345->3358 3346 402c41 17 API calls 3347 40242e lstrlenW 3346->3347 3347->3345 3349 402463 RegSetValueExW 3352 402479 RegCloseKey 3349->3352 3350->3349 3361 403116 3350->3361 3352->3344 3355 402cec 3354->3355 3381 406155 3355->3381 3359 4062dc 17 API calls 3358->3359 3360 402c34 3359->3360 3360->3350 3362 40312f 3361->3362 3363 40315d 3362->3363 3388 403347 SetFilePointer 3362->3388 3385 403331 3363->3385 3367 4032ca 3369 40330c 3367->3369 3374 4032ce 3367->3374 3368 40317a GetTickCount 3370 4032b4 3368->3370 3377 4031c9 3368->3377 3371 403331 ReadFile 3369->3371 3370->3349 3371->3370 3372 403331 ReadFile 3372->3377 3373 403331 ReadFile 3373->3374 3374->3370 3374->3373 3375 405e62 WriteFile 3374->3375 3375->3374 3376 40321f GetTickCount 3376->3377 3377->3370 3377->3372 3377->3376 3378 403244 MulDiv wsprintfW 3377->3378 3380 405e62 WriteFile 3377->3380 3379 405322 24 API calls 3378->3379 3379->3377 3380->3377 3382 406164 3381->3382 3383 402410 3382->3383 3384 40616f RegCreateKeyExW 3382->3384 3383->3344 3383->3345 3383->3346 3384->3383 3386 405e33 ReadFile 3385->3386 3387 403168 3386->3387 3387->3367 3387->3368 3387->3370 3388->3363 4052 404367 lstrcpynW lstrlenW 4053 401968 4054 402c1f 17 API calls 4053->4054 4055 40196f 4054->4055 4056 402c1f 17 API calls 4055->4056 4057 40197c 4056->4057 4058 402c41 17 API calls 4057->4058 4059 401993 lstrlenW 4058->4059 4060 4019a4 4059->4060 4064 4019e5 4060->4064 4065 4062ba lstrcpynW 4060->4065 4062 4019d5 4063 4019da lstrlenW 4062->4063 4062->4064 4063->4064 4065->4062 4066 402868 4067 402c41 17 API calls 4066->4067 4068 40286f FindFirstFileW 4067->4068 4069 402897 4068->4069 4073 402882 4068->4073 4074 406201 wsprintfW 4069->4074 4071 4028a0 4075 4062ba lstrcpynW 4071->4075 4074->4071 4075->4073 4076 403968 4077 403973 4076->4077 4078 40397a GlobalAlloc 4077->4078 4079 403977 4077->4079 4078->4079 4080 40166a 4081 402c41 17 API calls 4080->4081 4082 401670 4081->4082 4083 4065fd 2 API calls 4082->4083 4084 401676 4083->4084 3458 40176f 3459 402c41 17 API calls 3458->3459 3460 401776 3459->3460 3461 401796 3460->3461 3462 40179e 3460->3462 3497 4062ba lstrcpynW 3461->3497 3498 4062ba lstrcpynW 3462->3498 3465 40179c 3469 40654e 5 API calls 3465->3469 3466 4017a9 3467 405b8f 3 API calls 3466->3467 3468 4017af lstrcatW 3467->3468 3468->3465 3486 4017bb 3469->3486 3470 4065fd 2 API calls 3470->3486 3471 405d8b 2 API calls 3471->3486 3473 4017cd CompareFileTime 3473->3486 3474 40188d 3476 405322 24 API calls 3474->3476 3475 401864 3477 405322 24 API calls 3475->3477 3481 401879 3475->3481 3479 401897 3476->3479 3477->3481 3478 4062ba lstrcpynW 3478->3486 3480 403116 31 API calls 3479->3480 3482 4018aa 3480->3482 3483 4018be SetFileTime 3482->3483 3484 4018d0 CloseHandle 3482->3484 3483->3484 3484->3481 3487 4018e1 3484->3487 3485 4062dc 17 API calls 3485->3486 3486->3470 3486->3471 3486->3473 3486->3474 3486->3475 3486->3478 3486->3485 3496 405db0 GetFileAttributesW CreateFileW 3486->3496 3499 405920 3486->3499 3488 4018e6 3487->3488 3489 4018f9 3487->3489 3490 4062dc 17 API calls 3488->3490 3491 4062dc 17 API calls 3489->3491 3493 4018ee lstrcatW 3490->3493 3494 401901 3491->3494 3493->3494 3495 405920 MessageBoxIndirectW 3494->3495 3495->3481 3496->3486 3497->3465 3498->3466 3500 405935 3499->3500 3501 405981 3500->3501 3502 405949 MessageBoxIndirectW 3500->3502 3501->3486 3502->3501 4085 4027ef 4086 4027f6 4085->4086 4088 402a70 4085->4088 4087 402c1f 17 API calls 4086->4087 4089 4027fd 4087->4089 4090 40280c SetFilePointer 4089->4090 4090->4088 4091 40281c 4090->4091 4093 406201 wsprintfW 4091->4093 4093->4088 4094 4043f0 4095 404408 4094->4095 4099 404522 4094->4099 4100 404231 18 API calls 4095->4100 4096 40458c 4097 404656 4096->4097 4098 404596 GetDlgItem 4096->4098 4105 404298 8 API calls 4097->4105 4101 4045b0 4098->4101 4102 404617 4098->4102 4099->4096 4099->4097 4103 40455d GetDlgItem SendMessageW 4099->4103 4104 40446f 4100->4104 4101->4102 4110 4045d6 SendMessageW LoadCursorW SetCursor 4101->4110 4102->4097 4106 404629 4102->4106 4127 404253 KiUserCallbackDispatcher 4103->4127 4108 404231 18 API calls 4104->4108 4109 404651 4105->4109 4111 40463f 4106->4111 4112 40462f SendMessageW 4106->4112 4114 40447c CheckDlgButton 4108->4114 4131 40469f 4110->4131 4111->4109 4116 404645 SendMessageW 4111->4116 4112->4111 4113 404587 4128 40467b 4113->4128 4125 404253 KiUserCallbackDispatcher 4114->4125 4116->4109 4120 40449a GetDlgItem 4126 404266 SendMessageW 4120->4126 4122 4044b0 SendMessageW 4123 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4122->4123 4124 4044cd GetSysColor 4122->4124 4123->4109 4124->4123 4125->4120 4126->4122 4127->4113 4129 404689 4128->4129 4130 40468e SendMessageW 4128->4130 4129->4130 4130->4096 4134 4058e6 ShellExecuteExW 4131->4134 4133 404605 LoadCursorW SetCursor 4133->4102 4134->4133 4135 401a72 4136 402c1f 17 API calls 4135->4136 4137 401a7b 4136->4137 4138 402c1f 17 API calls 4137->4138 4139 401a20 4138->4139 4140 401573 4141 401583 ShowWindow 4140->4141 4142 40158c 4140->4142 4141->4142 4143 402ac5 4142->4143 4144 40159a ShowWindow 4142->4144 4144->4143 4145 402df3 4146 402e05 SetTimer 4145->4146 4147 402e1e 4145->4147 4146->4147 4148 402e73 4147->4148 4149 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4147->4149 4149->4148 4150 401cf3 4151 402c1f 17 API calls 4150->4151 4152 401cf9 IsWindow 4151->4152 4153 401a20 4152->4153 4154 4014f5 SetForegroundWindow 4155 402ac5 4154->4155 4156 402576 4157 402c41 17 API calls 4156->4157 4158 40257d 4157->4158 4161 405db0 GetFileAttributesW CreateFileW 4158->4161 4160 402589 4161->4160 3765 401b77 3766 401b84 3765->3766 3767 401bc8 3765->3767 3770 4022e4 3766->3770 3775 401b9b 3766->3775 3768 401bf2 GlobalAlloc 3767->3768 3769 401bcd 3767->3769 3771 4062dc 17 API calls 3768->3771 3778 401c0d 3769->3778 3784 4062ba lstrcpynW 3769->3784 3772 4062dc 17 API calls 3770->3772 3771->3778 3774 4022f1 3772->3774 3779 405920 MessageBoxIndirectW 3774->3779 3785 4062ba lstrcpynW 3775->3785 3776 401bdf GlobalFree 3776->3778 3779->3778 3780 401baa 3786 4062ba lstrcpynW 3780->3786 3782 401bb9 3787 4062ba lstrcpynW 3782->3787 3784->3776 3785->3780 3786->3782 3787->3778 4162 404a78 4163 404aa4 4162->4163 4164 404a88 4162->4164 4165 404ad7 4163->4165 4166 404aaa SHGetPathFromIDListW 4163->4166 4173 405904 GetDlgItemTextW 4164->4173 4168 404ac1 SendMessageW 4166->4168 4169 404aba 4166->4169 4168->4165 4171 40140b 2 API calls 4169->4171 4170 404a95 SendMessageW 4170->4163 4171->4168 4173->4170 4174 4024f8 4175 402c81 17 API calls 4174->4175 4176 402502 4175->4176 4177 402c1f 17 API calls 4176->4177 4178 40250b 4177->4178 4179 402533 RegEnumValueW 4178->4179 4180 402527 RegEnumKeyW 4178->4180 4182 40288b 4178->4182 4181 402548 RegCloseKey 4179->4181 4180->4181 4181->4182 4184 100013b8 4185 1000143a 2 API calls 4184->4185 4186 100013e4 4185->4186 4187 100010d0 29 API calls 4186->4187 4188 100013ee 4187->4188 4189 100014cf 3 API calls 4188->4189 4190 100013f7 4189->4190 4191 40167b 4192 402c41 17 API calls 4191->4192 4193 401682 4192->4193 4194 402c41 17 API calls 4193->4194 4195 40168b 4194->4195 4196 402c41 17 API calls 4195->4196 4197 401694 MoveFileW 4196->4197 4198 4016a0 4197->4198 4199 4016a7 4197->4199 4200 401423 24 API calls 4198->4200 4201 4065fd 2 API calls 4199->4201 4203 402250 4199->4203 4200->4203 4202 4016b6 4201->4202 4202->4203 4204 406080 36 API calls 4202->4204 4204->4198 4205 401e7d 4206 402c41 17 API calls 4205->4206 4207 401e83 4206->4207 4208 402c41 17 API calls 4207->4208 4209 401e8c 4208->4209 4210 402c41 17 API calls 4209->4210 4211 401e95 4210->4211 4212 402c41 17 API calls 4211->4212 4213 401e9e 4212->4213 4214 401423 24 API calls 4213->4214 4215 401ea5 4214->4215 4222 4058e6 ShellExecuteExW 4215->4222 4217 401ee7 4218 406745 5 API calls 4217->4218 4219 40288b 4217->4219 4220 401f01 CloseHandle 4218->4220 4220->4219 4222->4217 4223 4019ff 4224 402c41 17 API calls 4223->4224 4225 401a06 4224->4225 4226 402c41 17 API calls 4225->4226 4227 401a0f 4226->4227 4228 401a16 lstrcmpiW 4227->4228 4229 401a28 lstrcmpW 4227->4229 4230 401a1c 4228->4230 4229->4230 4231 401000 4232 401037 BeginPaint GetClientRect 4231->4232 4233 40100c DefWindowProcW 4231->4233 4235 4010f3 4232->4235 4236 401179 4233->4236 4237 401073 CreateBrushIndirect FillRect DeleteObject 4235->4237 4238 4010fc 4235->4238 4237->4235 4239 401102 CreateFontIndirectW 4238->4239 4240 401167 EndPaint 4238->4240 4239->4240 4241 401112 6 API calls 4239->4241 4240->4236 4241->4240 4242 401503 4243 40150b 4242->4243 4245 40151e 4242->4245 4244 402c1f 17 API calls 4243->4244 4244->4245 3389 402104 3390 402c41 17 API calls 3389->3390 3391 40210b 3390->3391 3392 402c41 17 API calls 3391->3392 3393 402115 3392->3393 3394 402c41 17 API calls 3393->3394 3395 40211f 3394->3395 3396 402c41 17 API calls 3395->3396 3397 402129 3396->3397 3398 402c41 17 API calls 3397->3398 3400 402133 3398->3400 3399 402172 CoCreateInstance 3404 402191 3399->3404 3400->3399 3401 402c41 17 API calls 3400->3401 3401->3399 3402 401423 24 API calls 3403 402250 3402->3403 3404->3402 3404->3403 3405 402484 3416 402c81 3405->3416 3408 402c41 17 API calls 3409 402497 3408->3409 3410 4024a2 RegQueryValueExW 3409->3410 3413 40288b 3409->3413 3411 4024c8 RegCloseKey 3410->3411 3412 4024c2 3410->3412 3411->3413 3412->3411 3421 406201 wsprintfW 3412->3421 3417 402c41 17 API calls 3416->3417 3418 402c98 3417->3418 3419 406127 RegOpenKeyExW 3418->3419 3420 40248e 3419->3420 3420->3408 3421->3411 3422 401f06 3423 402c41 17 API calls 3422->3423 3424 401f0c 3423->3424 3425 405322 24 API calls 3424->3425 3426 401f16 3425->3426 3437 4058a3 CreateProcessW 3426->3437 3429 401f3f CloseHandle 3432 40288b 3429->3432 3433 401f31 3434 401f41 3433->3434 3435 401f36 3433->3435 3434->3429 3445 406201 wsprintfW 3435->3445 3438 401f1c 3437->3438 3439 4058d6 CloseHandle 3437->3439 3438->3429 3438->3432 3440 406745 WaitForSingleObject 3438->3440 3439->3438 3441 40675f 3440->3441 3442 406771 GetExitCodeProcess 3441->3442 3446 4066d0 3441->3446 3442->3433 3445->3429 3447 4066ed PeekMessageW 3446->3447 3448 4066e3 DispatchMessageW 3447->3448 3449 4066fd WaitForSingleObject 3447->3449 3448->3447 3449->3441 4246 40190c 4247 401943 4246->4247 4248 402c41 17 API calls 4247->4248 4249 401948 4248->4249 4250 4059cc 67 API calls 4249->4250 4251 401951 4250->4251 4252 40230c 4253 402314 4252->4253 4254 40231a 4252->4254 4255 402c41 17 API calls 4253->4255 4256 402328 4254->4256 4257 402c41 17 API calls 4254->4257 4255->4254 4258 402c41 17 API calls 4256->4258 4260 402336 4256->4260 4257->4256 4258->4260 4259 402c41 17 API calls 4261 40233f WritePrivateProfileStringW 4259->4261 4260->4259 4262 401f8c 4263 402c41 17 API calls 4262->4263 4264 401f93 4263->4264 4265 406694 5 API calls 4264->4265 4266 401fa2 4265->4266 4267 401fbe GlobalAlloc 4266->4267 4269 402026 4266->4269 4268 401fd2 4267->4268 4267->4269 4270 406694 5 API calls 4268->4270 4271 401fd9 4270->4271 4272 406694 5 API calls 4271->4272 4273 401fe3 4272->4273 4273->4269 4277 406201 wsprintfW 4273->4277 4275 402018 4278 406201 wsprintfW 4275->4278 4277->4275 4278->4269 4279 40238e 4280 4023c1 4279->4280 4281 402396 4279->4281 4283 402c41 17 API calls 4280->4283 4282 402c81 17 API calls 4281->4282 4285 40239d 4282->4285 4284 4023c8 4283->4284 4290 402cff 4284->4290 4287 402c41 17 API calls 4285->4287 4288 4023d5 4285->4288 4289 4023ae RegDeleteValueW RegCloseKey 4287->4289 4289->4288 4291 402d0c 4290->4291 4292 402d13 4290->4292 4291->4288 4292->4291 4294 402d44 4292->4294 4295 406127 RegOpenKeyExW 4294->4295 4296 402d72 4295->4296 4297 402d98 RegEnumKeyW 4296->4297 4298 402daf RegCloseKey 4296->4298 4299 402dd0 RegCloseKey 4296->4299 4301 402d44 6 API calls 4296->4301 4304 402dc3 4296->4304 4297->4296 4297->4298 4300 406694 5 API calls 4298->4300 4299->4304 4302 402dbf 4300->4302 4301->4296 4303 402de0 RegDeleteKeyW 4302->4303 4302->4304 4303->4304 4304->4291 3503 40338f SetErrorMode GetVersion 3504 4033ce 3503->3504 3505 4033d4 3503->3505 3506 406694 5 API calls 3504->3506 3507 406624 3 API calls 3505->3507 3506->3505 3508 4033ea lstrlenA 3507->3508 3508->3505 3509 4033fa 3508->3509 3510 406694 5 API calls 3509->3510 3511 403401 3510->3511 3512 406694 5 API calls 3511->3512 3513 403408 3512->3513 3514 406694 5 API calls 3513->3514 3515 403414 #17 OleInitialize SHGetFileInfoW 3514->3515 3593 4062ba lstrcpynW 3515->3593 3518 403460 GetCommandLineW 3594 4062ba lstrcpynW 3518->3594 3520 403472 3521 405bbc CharNextW 3520->3521 3522 403497 CharNextW 3521->3522 3523 4035c1 GetTempPathW 3522->3523 3529 4034b0 3522->3529 3595 40335e 3523->3595 3525 4035d9 3526 403633 DeleteFileW 3525->3526 3527 4035dd GetWindowsDirectoryW lstrcatW 3525->3527 3605 402edd GetTickCount GetModuleFileNameW 3526->3605 3530 40335e 12 API calls 3527->3530 3531 405bbc CharNextW 3529->3531 3536 4035aa 3529->3536 3540 4035ac 3529->3540 3533 4035f9 3530->3533 3531->3529 3532 403647 3534 4036fe ExitProcess CoUninitialize 3532->3534 3537 4036ea 3532->3537 3542 405bbc CharNextW 3532->3542 3533->3526 3535 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3533->3535 3538 403834 3534->3538 3539 403714 3534->3539 3541 40335e 12 API calls 3535->3541 3536->3523 3633 4039aa 3537->3633 3546 4038b8 ExitProcess 3538->3546 3547 40383c GetCurrentProcess OpenProcessToken 3538->3547 3545 405920 MessageBoxIndirectW 3539->3545 3689 4062ba lstrcpynW 3540->3689 3548 40362b 3541->3548 3559 403666 3542->3559 3551 403722 ExitProcess 3545->3551 3552 403854 LookupPrivilegeValueW AdjustTokenPrivileges 3547->3552 3553 403888 3547->3553 3548->3526 3548->3534 3549 4036fa 3549->3534 3552->3553 3554 406694 5 API calls 3553->3554 3555 40388f 3554->3555 3558 4038a4 ExitWindowsEx 3555->3558 3562 4038b1 3555->3562 3556 4036c4 3561 405c97 18 API calls 3556->3561 3557 40372a 3560 40588b 5 API calls 3557->3560 3558->3546 3558->3562 3559->3556 3559->3557 3563 40372f lstrcatW 3560->3563 3564 4036d0 3561->3564 3694 40140b 3562->3694 3566 403740 lstrcatW 3563->3566 3567 40374b lstrcatW lstrcmpiW 3563->3567 3564->3534 3690 4062ba lstrcpynW 3564->3690 3566->3567 3567->3534 3568 403767 3567->3568 3570 403773 3568->3570 3571 40376c 3568->3571 3575 40586e 2 API calls 3570->3575 3573 4057f1 4 API calls 3571->3573 3572 4036df 3691 4062ba lstrcpynW 3572->3691 3576 403771 3573->3576 3577 403778 SetCurrentDirectoryW 3575->3577 3576->3577 3578 403793 3577->3578 3579 403788 3577->3579 3693 4062ba lstrcpynW 3578->3693 3692 4062ba lstrcpynW 3579->3692 3582 4062dc 17 API calls 3583 4037d2 DeleteFileW 3582->3583 3584 4037df CopyFileW 3583->3584 3590 4037a1 3583->3590 3584->3590 3585 403828 3587 406080 36 API calls 3585->3587 3586 406080 36 API calls 3586->3590 3588 40382f 3587->3588 3588->3534 3589 4062dc 17 API calls 3589->3590 3590->3582 3590->3585 3590->3586 3590->3589 3591 4058a3 2 API calls 3590->3591 3592 403813 CloseHandle 3590->3592 3591->3590 3592->3590 3593->3518 3594->3520 3596 40654e 5 API calls 3595->3596 3598 40336a 3596->3598 3597 403374 3597->3525 3598->3597 3599 405b8f 3 API calls 3598->3599 3600 40337c 3599->3600 3601 40586e 2 API calls 3600->3601 3602 403382 3601->3602 3697 405ddf 3602->3697 3701 405db0 GetFileAttributesW CreateFileW 3605->3701 3607 402f1d 3626 402f2d 3607->3626 3702 4062ba lstrcpynW 3607->3702 3609 402f43 3610 405bdb 2 API calls 3609->3610 3611 402f49 3610->3611 3703 4062ba lstrcpynW 3611->3703 3613 402f54 GetFileSize 3614 403050 3613->3614 3632 402f6b 3613->3632 3704 402e79 3614->3704 3616 403059 3618 403089 GlobalAlloc 3616->3618 3616->3626 3716 403347 SetFilePointer 3616->3716 3617 403331 ReadFile 3617->3632 3715 403347 SetFilePointer 3618->3715 3621 4030bc 3623 402e79 6 API calls 3621->3623 3622 4030a4 3625 403116 31 API calls 3622->3625 3623->3626 3624 403072 3627 403331 ReadFile 3624->3627 3630 4030b0 3625->3630 3626->3532 3628 40307d 3627->3628 3628->3618 3628->3626 3629 402e79 6 API calls 3629->3632 3630->3626 3630->3630 3631 4030ed SetFilePointer 3630->3631 3631->3626 3632->3614 3632->3617 3632->3621 3632->3626 3632->3629 3634 406694 5 API calls 3633->3634 3635 4039be 3634->3635 3636 4039c4 3635->3636 3637 4039d6 3635->3637 3725 406201 wsprintfW 3636->3725 3638 406188 3 API calls 3637->3638 3639 403a06 3638->3639 3640 403a25 lstrcatW 3639->3640 3642 406188 3 API calls 3639->3642 3643 4039d4 3640->3643 3642->3640 3717 403c80 3643->3717 3646 405c97 18 API calls 3647 403a57 3646->3647 3648 403aeb 3647->3648 3650 406188 3 API calls 3647->3650 3649 405c97 18 API calls 3648->3649 3651 403af1 3649->3651 3652 403a89 3650->3652 3653 403b01 LoadImageW 3651->3653 3654 4062dc 17 API calls 3651->3654 3652->3648 3659 403aaa lstrlenW 3652->3659 3660 405bbc CharNextW 3652->3660 3655 403ba7 3653->3655 3656 403b28 RegisterClassW 3653->3656 3654->3653 3658 40140b 2 API calls 3655->3658 3657 403b5e SystemParametersInfoW CreateWindowExW 3656->3657 3688 403bb1 3656->3688 3657->3655 3663 403bad 3658->3663 3661 403ab8 lstrcmpiW 3659->3661 3662 403ade 3659->3662 3664 403aa7 3660->3664 3661->3662 3665 403ac8 GetFileAttributesW 3661->3665 3666 405b8f 3 API calls 3662->3666 3668 403c80 18 API calls 3663->3668 3663->3688 3664->3659 3667 403ad4 3665->3667 3669 403ae4 3666->3669 3667->3662 3670 405bdb 2 API calls 3667->3670 3671 403bbe 3668->3671 3726 4062ba lstrcpynW 3669->3726 3670->3662 3673 403bca ShowWindow 3671->3673 3674 403c4d 3671->3674 3676 406624 3 API calls 3673->3676 3675 4053f5 5 API calls 3674->3675 3677 403c53 3675->3677 3678 403be2 3676->3678 3679 403c57 3677->3679 3680 403c6f 3677->3680 3681 403bf0 GetClassInfoW 3678->3681 3685 406624 3 API calls 3678->3685 3687 40140b 2 API calls 3679->3687 3679->3688 3684 40140b 2 API calls 3680->3684 3682 403c04 GetClassInfoW RegisterClassW 3681->3682 3683 403c1a DialogBoxParamW 3681->3683 3682->3683 3686 40140b 2 API calls 3683->3686 3684->3688 3685->3681 3686->3688 3687->3688 3688->3549 3689->3536 3690->3572 3691->3537 3692->3578 3693->3590 3695 401389 2 API calls 3694->3695 3696 401420 3695->3696 3696->3546 3698 405dec GetTickCount GetTempFileNameW 3697->3698 3699 405e22 3698->3699 3700 40338d 3698->3700 3699->3698 3699->3700 3700->3525 3701->3607 3702->3609 3703->3613 3705 402e82 3704->3705 3706 402e9a 3704->3706 3707 402e92 3705->3707 3708 402e8b DestroyWindow 3705->3708 3709 402ea2 3706->3709 3710 402eaa GetTickCount 3706->3710 3707->3616 3708->3707 3713 4066d0 2 API calls 3709->3713 3711 402eb8 CreateDialogParamW ShowWindow 3710->3711 3712 402edb 3710->3712 3711->3712 3712->3616 3714 402ea8 3713->3714 3714->3616 3715->3622 3716->3624 3718 403c94 3717->3718 3727 406201 wsprintfW 3718->3727 3720 403d05 3728 403d39 3720->3728 3722 403a35 3722->3646 3723 403d0a 3723->3722 3724 4062dc 17 API calls 3723->3724 3724->3723 3725->3643 3726->3648 3727->3720 3729 4062dc 17 API calls 3728->3729 3730 403d47 SetWindowTextW 3729->3730 3730->3723 4305 40190f 4306 402c41 17 API calls 4305->4306 4307 401916 4306->4307 4308 405920 MessageBoxIndirectW 4307->4308 4309 40191f 4308->4309 4310 401491 4311 405322 24 API calls 4310->4311 4312 401498 4311->4312 4313 401d14 4314 402c1f 17 API calls 4313->4314 4315 401d1b 4314->4315 4316 402c1f 17 API calls 4315->4316 4317 401d27 GetDlgItem 4316->4317 4318 402592 4317->4318 4319 405296 4320 4052a6 4319->4320 4321 4052ba 4319->4321 4322 405303 4320->4322 4323 4052ac 4320->4323 4324 4052c2 IsWindowVisible 4321->4324 4330 4052d9 4321->4330 4325 405308 CallWindowProcW 4322->4325 4326 40427d SendMessageW 4323->4326 4324->4322 4327 4052cf 4324->4327 4328 4052b6 4325->4328 4326->4328 4332 404bec SendMessageW 4327->4332 4330->4325 4337 404c6c 4330->4337 4333 404c4b SendMessageW 4332->4333 4334 404c0f GetMessagePos ScreenToClient SendMessageW 4332->4334 4335 404c43 4333->4335 4334->4335 4336 404c48 4334->4336 4335->4330 4336->4333 4346 4062ba lstrcpynW 4337->4346 4339 404c7f 4347 406201 wsprintfW 4339->4347 4341 404c89 4342 40140b 2 API calls 4341->4342 4343 404c92 4342->4343 4348 4062ba lstrcpynW 4343->4348 4345 404c99 4345->4322 4346->4339 4347->4341 4348->4345 4349 402598 4350 4025c7 4349->4350 4351 4025ac 4349->4351 4353 4025fb 4350->4353 4354 4025cc 4350->4354 4352 402c1f 17 API calls 4351->4352 4361 4025b3 4352->4361 4356 402c41 17 API calls 4353->4356 4355 402c41 17 API calls 4354->4355 4357 4025d3 WideCharToMultiByte lstrlenA 4355->4357 4358 402602 lstrlenW 4356->4358 4357->4361 4358->4361 4359 402645 4360 40262f 4360->4359 4362 405e62 WriteFile 4360->4362 4361->4359 4361->4360 4363 405e91 5 API calls 4361->4363 4362->4359 4363->4360 4364 404c9e GetDlgItem GetDlgItem 4365 404cf0 7 API calls 4364->4365 4371 404f09 4364->4371 4366 404d93 DeleteObject 4365->4366 4367 404d86 SendMessageW 4365->4367 4368 404d9c 4366->4368 4367->4366 4369 404dd3 4368->4369 4374 4062dc 17 API calls 4368->4374 4372 404231 18 API calls 4369->4372 4370 404fed 4373 405099 4370->4373 4383 405046 SendMessageW 4370->4383 4407 404efc 4370->4407 4371->4370 4379 404f7a 4371->4379 4381 404bec 5 API calls 4371->4381 4378 404de7 4372->4378 4375 4050a3 SendMessageW 4373->4375 4376 4050ab 4373->4376 4377 404db5 SendMessageW SendMessageW 4374->4377 4375->4376 4386 4050c4 4376->4386 4387 4050bd ImageList_Destroy 4376->4387 4394 4050d4 4376->4394 4377->4368 4382 404231 18 API calls 4378->4382 4379->4370 4380 404fdf SendMessageW 4379->4380 4380->4370 4381->4379 4398 404df5 4382->4398 4389 40505b SendMessageW 4383->4389 4383->4407 4384 404298 8 API calls 4385 40528f 4384->4385 4390 4050cd GlobalFree 4386->4390 4386->4394 4387->4386 4388 405243 4395 405255 ShowWindow GetDlgItem ShowWindow 4388->4395 4388->4407 4392 40506e 4389->4392 4390->4394 4391 404eca GetWindowLongW SetWindowLongW 4393 404ee3 4391->4393 4402 40507f SendMessageW 4392->4402 4396 404f01 4393->4396 4397 404ee9 ShowWindow 4393->4397 4394->4388 4406 404c6c 4 API calls 4394->4406 4409 40510f 4394->4409 4395->4407 4416 404266 SendMessageW 4396->4416 4415 404266 SendMessageW 4397->4415 4398->4391 4401 404e45 SendMessageW 4398->4401 4403 404ec4 4398->4403 4404 404e81 SendMessageW 4398->4404 4405 404e92 SendMessageW 4398->4405 4401->4398 4402->4373 4403->4391 4403->4393 4404->4398 4405->4398 4406->4409 4407->4384 4408 405219 InvalidateRect 4408->4388 4410 40522f 4408->4410 4411 40513d SendMessageW 4409->4411 4412 405153 4409->4412 4417 404ba7 4410->4417 4411->4412 4412->4408 4414 4051c7 SendMessageW SendMessageW 4412->4414 4414->4412 4415->4407 4416->4371 4420 404ade 4417->4420 4419 404bbc 4419->4388 4422 404af7 4420->4422 4421 4062dc 17 API calls 4423 404b5b 4421->4423 4422->4421 4424 4062dc 17 API calls 4423->4424 4425 404b66 4424->4425 4426 4062dc 17 API calls 4425->4426 4427 404b7c lstrlenW wsprintfW SetDlgItemTextW 4426->4427 4427->4419 4428 40149e 4429 4014ac PostQuitMessage 4428->4429 4430 4022f7 4428->4430 4429->4430 3940 401c1f 3941 402c1f 17 API calls 3940->3941 3942 401c26 3941->3942 3943 402c1f 17 API calls 3942->3943 3944 401c33 3943->3944 3945 401c48 3944->3945 3946 402c41 17 API calls 3944->3946 3947 401c58 3945->3947 3948 402c41 17 API calls 3945->3948 3946->3945 3949 401c63 3947->3949 3950 401caf 3947->3950 3948->3947 3952 402c1f 17 API calls 3949->3952 3951 402c41 17 API calls 3950->3951 3953 401cb4 3951->3953 3954 401c68 3952->3954 3956 402c41 17 API calls 3953->3956 3955 402c1f 17 API calls 3954->3955 3957 401c74 3955->3957 3958 401cbd FindWindowExW 3956->3958 3959 401c81 SendMessageTimeoutW 3957->3959 3960 401c9f SendMessageW 3957->3960 3961 401cdf 3958->3961 3959->3961 3960->3961 4431 402aa0 SendMessageW 4432 402ac5 4431->4432 4433 402aba InvalidateRect 4431->4433 4433->4432 4434 402821 4435 402827 4434->4435 4436 40282f FindClose 4435->4436 4437 402ac5 4435->4437 4436->4437 4438 4043a1 lstrlenW 4439 4043c0 4438->4439 4440 4043c2 WideCharToMultiByte 4438->4440 4439->4440 4441 404722 4442 40474e 4441->4442 4443 40475f 4441->4443 4502 405904 GetDlgItemTextW 4442->4502 4444 40476b GetDlgItem 4443->4444 4451 4047ca 4443->4451 4446 40477f 4444->4446 4450 404793 SetWindowTextW 4446->4450 4454 405c3a 4 API calls 4446->4454 4447 4048ae 4500 404a5d 4447->4500 4504 405904 GetDlgItemTextW 4447->4504 4448 404759 4449 40654e 5 API calls 4448->4449 4449->4443 4455 404231 18 API calls 4450->4455 4451->4447 4456 4062dc 17 API calls 4451->4456 4451->4500 4453 404298 8 API calls 4458 404a71 4453->4458 4459 404789 4454->4459 4460 4047af 4455->4460 4461 40483e SHBrowseForFolderW 4456->4461 4457 4048de 4462 405c97 18 API calls 4457->4462 4459->4450 4466 405b8f 3 API calls 4459->4466 4463 404231 18 API calls 4460->4463 4461->4447 4464 404856 CoTaskMemFree 4461->4464 4465 4048e4 4462->4465 4467 4047bd 4463->4467 4468 405b8f 3 API calls 4464->4468 4505 4062ba lstrcpynW 4465->4505 4466->4450 4503 404266 SendMessageW 4467->4503 4470 404863 4468->4470 4473 40489a SetDlgItemTextW 4470->4473 4477 4062dc 17 API calls 4470->4477 4472 4047c3 4476 406694 5 API calls 4472->4476 4473->4447 4474 4048fb 4475 406694 5 API calls 4474->4475 4483 404902 4475->4483 4476->4451 4478 404882 lstrcmpiW 4477->4478 4478->4473 4480 404893 lstrcatW 4478->4480 4479 404943 4506 4062ba lstrcpynW 4479->4506 4480->4473 4482 40494a 4484 405c3a 4 API calls 4482->4484 4483->4479 4488 405bdb 2 API calls 4483->4488 4489 40499b 4483->4489 4485 404950 GetDiskFreeSpaceW 4484->4485 4487 404974 MulDiv 4485->4487 4485->4489 4487->4489 4488->4483 4491 404ba7 20 API calls 4489->4491 4499 404a0c 4489->4499 4490 404a2f 4507 404253 KiUserCallbackDispatcher 4490->4507 4493 4049f9 4491->4493 4492 40140b 2 API calls 4492->4490 4494 404a0e SetDlgItemTextW 4493->4494 4495 4049fe 4493->4495 4494->4499 4497 404ade 20 API calls 4495->4497 4497->4499 4498 404a4b 4498->4500 4501 40467b SendMessageW 4498->4501 4499->4490 4499->4492 4500->4453 4501->4500 4502->4448 4503->4472 4504->4457 4505->4474 4506->4482 4507->4498 4508 4015a3 4509 402c41 17 API calls 4508->4509 4510 4015aa SetFileAttributesW 4509->4510 4511 4015bc 4510->4511 4512 4029a8 4513 402c1f 17 API calls 4512->4513 4514 4029ae 4513->4514 4515 4029d5 4514->4515 4516 4029ee 4514->4516 4520 40288b 4514->4520 4517 4029da 4515->4517 4525 4029eb 4515->4525 4518 402a08 4516->4518 4519 4029f8 4516->4519 4526 4062ba lstrcpynW 4517->4526 4521 4062dc 17 API calls 4518->4521 4522 402c1f 17 API calls 4519->4522 4521->4525 4522->4525 4525->4520 4527 406201 wsprintfW 4525->4527 4526->4520 4527->4520 4528 4028ad 4529 402c41 17 API calls 4528->4529 4531 4028bb 4529->4531 4530 4028d1 4533 405d8b 2 API calls 4530->4533 4531->4530 4532 402c41 17 API calls 4531->4532 4532->4530 4534 4028d7 4533->4534 4556 405db0 GetFileAttributesW CreateFileW 4534->4556 4536 4028e4 4537 4028f0 GlobalAlloc 4536->4537 4538 402987 4536->4538 4539 402909 4537->4539 4540 40297e CloseHandle 4537->4540 4541 4029a2 4538->4541 4542 40298f DeleteFileW 4538->4542 4557 403347 SetFilePointer 4539->4557 4540->4538 4542->4541 4544 40290f 4545 403331 ReadFile 4544->4545 4546 402918 GlobalAlloc 4545->4546 4547 402928 4546->4547 4548 40295c 4546->4548 4550 403116 31 API calls 4547->4550 4549 405e62 WriteFile 4548->4549 4551 402968 GlobalFree 4549->4551 4555 402935 4550->4555 4552 403116 31 API calls 4551->4552 4554 40297b 4552->4554 4553 402953 GlobalFree 4553->4548 4554->4540 4555->4553 4556->4536 4557->4544 4558 401a30 4559 402c41 17 API calls 4558->4559 4560 401a39 ExpandEnvironmentStringsW 4559->4560 4561 401a4d 4560->4561 4563 401a60 4560->4563 4562 401a52 lstrcmpW 4561->4562 4561->4563 4562->4563 3742 402032 3743 402044 3742->3743 3744 4020f6 3742->3744 3745 402c41 17 API calls 3743->3745 3746 401423 24 API calls 3744->3746 3747 40204b 3745->3747 3752 402250 3746->3752 3748 402c41 17 API calls 3747->3748 3749 402054 3748->3749 3750 40206a LoadLibraryExW 3749->3750 3751 40205c GetModuleHandleW 3749->3751 3750->3744 3753 40207b 3750->3753 3751->3750 3751->3753 3762 406703 WideCharToMultiByte 3753->3762 3756 4020c5 3758 405322 24 API calls 3756->3758 3757 40208c 3759 401423 24 API calls 3757->3759 3760 40209c 3757->3760 3758->3760 3759->3760 3760->3752 3761 4020e8 FreeLibrary 3760->3761 3761->3752 3763 40672d GetProcAddress 3762->3763 3764 402086 3762->3764 3763->3764 3764->3756 3764->3757 4569 401735 4570 402c41 17 API calls 4569->4570 4571 40173c SearchPathW 4570->4571 4572 401757 4571->4572 4573 402a35 4574 402c1f 17 API calls 4573->4574 4575 402a3b 4574->4575 4576 402a72 4575->4576 4577 40288b 4575->4577 4579 402a4d 4575->4579 4576->4577 4578 4062dc 17 API calls 4576->4578 4578->4577 4579->4577 4581 406201 wsprintfW 4579->4581 4581->4577 3788 10001377 3795 1000143a 3788->3795 3796 100013a3 3795->3796 3798 10001443 3795->3798 3800 100010d0 GetVersionExW 3796->3800 3797 10001473 GlobalFree 3797->3796 3798->3796 3798->3797 3799 1000145f lstrcpynW 3798->3799 3799->3797 3801 10001100 3800->3801 3802 1000110a 3800->3802 3826 100014cf wsprintfW 3801->3826 3803 10001115 3802->3803 3804 1000112c LoadLibraryW 3802->3804 3803->3801 3805 10001227 LoadLibraryA 3803->3805 3806 10001145 GetProcAddress 3804->3806 3807 100011af 3804->3807 3805->3801 3809 1000123f GetProcAddress GetProcAddress GetProcAddress 3805->3809 3808 10001158 LocalAlloc 3806->3808 3814 10001198 3806->3814 3807->3801 3815 100011c9 lstrcpynW lstrcmpiW 3807->3815 3817 10001219 LocalFree 3807->3817 3819 100011f9 3807->3819 3810 10001193 3808->3810 3812 1000133a FreeLibrary 3809->3812 3824 1000126e 3809->3824 3813 10001166 NtQuerySystemInformation 3810->3813 3810->3814 3811 100011a4 FreeLibrary 3811->3807 3812->3801 3813->3811 3816 10001179 LocalFree 3813->3816 3814->3811 3815->3807 3816->3814 3818 1000118a LocalAlloc 3816->3818 3817->3801 3818->3810 3819->3807 3829 1000103f OpenProcess 3819->3829 3821 10001333 CloseHandle 3821->3812 3822 100012a8 lstrlenW 3822->3824 3823 100012c9 lstrlenA MultiByteToWideChar lstrcmpiW 3823->3824 3824->3812 3824->3821 3824->3822 3824->3823 3825 1000103f 8 API calls 3824->3825 3825->3824 3842 10001489 3826->3842 3830 10001060 3829->3830 3831 100010cb 3829->3831 3832 1000106b EnumWindows 3830->3832 3833 100010ac TerminateProcess 3830->3833 3831->3819 3832->3833 3834 1000107f GetExitCodeProcess 3832->3834 3839 10001007 GetWindowThreadProcessId 3832->3839 3835 100010a7 3833->3835 3836 100010be CloseHandle 3833->3836 3834->3835 3837 1000108e 3834->3837 3835->3836 3836->3831 3837->3835 3838 10001097 WaitForSingleObject 3837->3838 3838->3833 3838->3835 3840 10001024 PostMessageW 3839->3840 3841 10001036 3839->3841 3840->3841 3843 10001492 GlobalAlloc lstrcpynW 3842->3843 3844 100013b6 3842->3844 3843->3844 4582 4014b8 4583 4014be 4582->4583 4584 401389 2 API calls 4583->4584 4585 4014c6 4584->4585 4586 401db9 GetDC 4587 402c1f 17 API calls 4586->4587 4588 401dcb GetDeviceCaps MulDiv ReleaseDC 4587->4588 4589 402c1f 17 API calls 4588->4589 4590 401dfc 4589->4590 4591 4062dc 17 API calls 4590->4591 4592 401e39 CreateFontIndirectW 4591->4592 4593 402592 4592->4593 4601 40283b 4602 402843 4601->4602 4603 402847 FindNextFileW 4602->4603 4605 402859 4602->4605 4604 4028a0 4603->4604 4603->4605 4607 4062ba lstrcpynW 4604->4607 4607->4605

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 0040338F Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 4 4033e4-4033f8 call 406624 lstrlenA 2->4 9 4033fa-403416 call 406694 * 3 4->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 31 4034b8-4034bd 28->31 32 4034bf-4034c3 28->32 38 403633-40364d DeleteFileW call 402edd 29->38 39 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->39 31->31 31->32 33 4034c5-4034c9 32->33 34 4034ca-4034ce 32->34 33->34 36 4034d4-4034da 34->36 37 40358d-40359a call 405bbc 34->37 41 4034f5-40352e 36->41 42 4034dc-4034e4 36->42 52 40359c-40359d 37->52 53 40359e-4035a4 37->53 54 403653-403659 38->54 55 4036fe-40370e ExitProcess CoUninitialize 38->55 39->38 58 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 39->58 48 403530-403535 41->48 49 40354b-403585 41->49 46 4034e6-4034e9 42->46 47 4034eb 42->47 46->41 46->47 47->41 48->49 56 403537-40353f 48->56 49->37 57 403587-40358b 49->57 52->53 53->28 59 4035aa 53->59 60 4036ee-4036f5 call 4039aa 54->60 61 40365f-40366a call 405bbc 54->61 62 403834-40383a 55->62 63 403714-403724 call 405920 ExitProcess 55->63 64 403541-403544 56->64 65 403546 56->65 57->37 66 4035ac-4035ba call 4062ba 57->66 58->38 58->55 68 4035bf 59->68 77 4036fa 60->77 84 4036b8-4036c2 61->84 85 40366c-4036a1 61->85 73 4038b8-4038c0 62->73 74 40383c-403852 GetCurrentProcess OpenProcessToken 62->74 64->49 64->65 65->49 66->68 68->29 78 4038c2 73->78 79 4038c6-4038ca ExitProcess 73->79 81 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 74->81 82 403888-403896 call 406694 74->82 77->55 78->79 81->82 90 4038a4-4038af ExitWindowsEx 82->90 91 403898-4038a2 82->91 88 4036c4-4036d2 call 405c97 84->88 89 40372a-40373e call 40588b lstrcatW 84->89 87 4036a3-4036a7 85->87 92 4036b0-4036b4 87->92 93 4036a9-4036ae 87->93 88->55 104 4036d4-4036ea call 4062ba * 2 88->104 102 403740-403746 lstrcatW 89->102 103 40374b-403765 lstrcatW lstrcmpiW 89->103 90->73 96 4038b1-4038b3 call 40140b 90->96 91->90 91->96 92->87 97 4036b6 92->97 93->92 93->97 96->73 97->84 102->103 103->55 105 403767-40376a 103->105 104->60 107 403773 call 40586e 105->107 108 40376c-403771 call 4057f1 105->108 115 403778-403786 SetCurrentDirectoryW 107->115 108->115 116 403793-4037bc call 4062ba 115->116 117 403788-40378e call 4062ba 115->117 121 4037c1-4037dd call 4062dc DeleteFileW 116->121 117->116 124 40381e-403826 121->124 125 4037df-4037ef CopyFileW 121->125 124->121 127 403828-40382f call 406080 124->127 125->124 126 4037f1-403811 call 406080 call 4062dc call 4058a3 125->126 126->124 136 403813-40381a CloseHandle 126->136 127->55 136->124
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetErrorMode.KERNEL32 ref: 004033B2
                                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(00440208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                                                                                    • CharNextW.USER32(00000000,004CB000,00000020,004CB000,00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00002000,004DF000,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(004DF000,00001FFB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00001FFC,004DF000,004DF000,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,Low,?,00000006,00000008,0000000A), ref: 0040360B
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,004DF000,004DF000,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,004DF000,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(004DB000,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004036FE
                                                                                                                                                                                                    • CoUninitialize.COMBASE(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,0040A26C,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(004DF000,004D7000,004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(004DF000,004DF000,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(0043C208,0043C208,?,0047B000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                                                                                    • CopyFileW.KERNEL32(004E7000,0043C208,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0043C208,0043C208,?,0043C208,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                    • String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                    • API String ID: 424501083-3195845224
                                                                                                                                                                                                    • Opcode ID: 14ddf9fd8f7a6776d0279073920aaf11ecf970c0f7d5ed594b67270de8d12b9b
                                                                                                                                                                                                    • Instruction ID: 33fbdd78d52bfd04f2c73b4da217482bb076a8c6d1615cdfa2cd3638f3c4bec2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14ddf9fd8f7a6776d0279073920aaf11ecf970c0f7d5ed594b67270de8d12b9b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45D1F471100310AAE720BF769D45B2B3AADEB4070AF10447FF885B62E1DBBD8D55876E
                                                                                                                                                                                                    Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 137 405461-40547c 138 405482-405549 GetDlgItem * 3 call 404266 call 404bbf GetClientRect GetSystemMetrics SendMessageW * 2 137->138 139 40560b-405612 137->139 161 405567-40556a 138->161 162 40554b-405565 SendMessageW * 2 138->162 141 405614-405636 GetDlgItem CreateThread CloseHandle 139->141 142 40563c-405649 139->142 141->142 144 405667-405671 142->144 145 40564b-405651 142->145 146 405673-405679 144->146 147 4056c7-4056cb 144->147 149 405653-405662 ShowWindow * 2 call 404266 145->149 150 40568c-405695 call 404298 145->150 151 4056a1-4056b1 ShowWindow 146->151 152 40567b-405687 call 40420a 146->152 147->150 155 4056cd-4056d3 147->155 149->144 158 40569a-40569e 150->158 159 4056c1-4056c2 call 40420a 151->159 160 4056b3-4056bc call 405322 151->160 152->150 155->150 163 4056d5-4056e8 SendMessageW 155->163 159->147 160->159 166 40557a-405591 call 404231 161->166 167 40556c-405578 SendMessageW 161->167 162->161 168 4057ea-4057ec 163->168 169 4056ee-405719 CreatePopupMenu call 4062dc AppendMenuW 163->169 176 405593-4055a7 ShowWindow 166->176 177 4055c7-4055e8 GetDlgItem SendMessageW 166->177 167->166 168->158 174 40571b-40572b GetWindowRect 169->174 175 40572e-405743 TrackPopupMenu 169->175 174->175 175->168 178 405749-405760 175->178 179 4055b6 176->179 180 4055a9-4055b4 ShowWindow 176->180 177->168 181 4055ee-405606 SendMessageW * 2 177->181 182 405765-405780 SendMessageW 178->182 183 4055bc-4055c2 call 404266 179->183 180->183 181->168 182->182 184 405782-4057a5 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 182->184 183->177 186 4057a7-4057ce SendMessageW 184->186 186->186 187 4057d0-4057e4 GlobalUnlock SetClipboardData CloseClipboard 186->187 187->168
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                                                                                      • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405636
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040565F
                                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                                    • Opcode ID: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                                    • Instruction ID: bae72a1d173c3811f2fd5642bc5838002141c6bee16c4b6d0499208050eeb164
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CB12970900608FFDB119FA0DE89EAE7B79FB48354F00413AFA45A61A0CBB55E91DF58
                                                                                                                                                                                                    Function 100010D0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 293 100010d0-100010fe GetVersionExW 294 10001100-10001105 293->294 295 1000110a-10001113 293->295 296 10001374-10001376 294->296 297 10001115-1000111c 295->297 298 1000112c-10001143 LoadLibraryW 295->298 299 10001122-10001127 297->299 300 10001227-10001239 LoadLibraryA 297->300 301 10001145-10001156 GetProcAddress 298->301 302 100011af 298->302 304 10001372-10001373 299->304 307 10001349-1000134e 300->307 308 1000123f-10001268 GetProcAddress * 3 300->308 305 10001158-10001164 LocalAlloc 301->305 306 1000119f 301->306 303 100011b4-100011b6 302->303 309 100011b8-100011ba 303->309 310 100011bf 303->310 304->296 311 10001193-10001196 305->311 312 100011a4-100011ad FreeLibrary 306->312 307->304 313 1000133a-1000133d FreeLibrary 308->313 314 1000126e-10001270 308->314 309->304 316 100011c2-100011c7 310->316 318 10001166-10001177 NtQuerySystemInformation 311->318 319 10001198-1000119d 311->319 312->303 317 10001343-10001347 313->317 314->313 315 10001276-10001278 314->315 315->313 320 1000127e-10001289 315->320 321 100011c9-100011ee lstrcpynW lstrcmpiW 316->321 322 1000120f-10001213 316->322 317->307 323 10001350-10001354 317->323 318->312 324 10001179-10001188 LocalFree 318->324 319->312 320->313 335 1000128f-100012a3 320->335 321->322 325 100011f0-100011f7 321->325 328 10001215-10001217 322->328 329 10001219-10001222 LocalFree 322->329 326 10001370 323->326 327 10001356-1000135a 323->327 324->319 330 1000118a-10001191 LocalAlloc 324->330 325->329 332 100011f9-1000120c call 1000103f 325->332 326->304 333 10001363-10001367 327->333 334 1000135c-10001361 327->334 328->316 329->317 330->311 332->322 333->326 337 10001369-1000136e 333->337 334->304 340 1000132b-1000132d 335->340 337->304 341 10001333-10001334 CloseHandle 340->341 342 100012a8-100012bc lstrlenW 340->342 341->313 343 100012c3-100012c7 342->343 344 100012c9-100012fc lstrlenA MultiByteToWideChar lstrcmpiW 343->344 345 100012be-100012c0 343->345 347 10001320-10001327 344->347 348 100012fe-10001305 344->348 345->344 346 100012c2 345->346 346->343 347->340 348->341 349 10001307-1000131d call 1000103f 348->349 349->347
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 100010F6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2716384725.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716339848.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716451099.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716495364.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                                                                                                                                                                    • API String ID: 1889659487-877962304
                                                                                                                                                                                                    • Opcode ID: 7d7e9519b5160fc9c378ed57362ed99c5f4eb730c932ba2a1b4742be338fdd70
                                                                                                                                                                                                    • Instruction ID: 7912c964d9e25ca6fd3cf3701ff0e873bdc70cccdad54a87c94dbd913505c8d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d7e9519b5160fc9c378ed57362ed99c5f4eb730c932ba2a1b4742be338fdd70
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F714671900229EFFB21DBA4CC88AEE7BF9EB483C5F114166EA15E2159E7708B44CF51
                                                                                                                                                                                                    Function 004059CC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 556 4059cc-4059f2 call 405c97 559 4059f4-405a06 DeleteFileW 556->559 560 405a0b-405a12 556->560 561 405b88-405b8c 559->561 562 405a14-405a16 560->562 563 405a25-405a35 call 4062ba 560->563 564 405b36-405b3b 562->564 565 405a1c-405a1f 562->565 569 405a44-405a45 call 405bdb 563->569 570 405a37-405a42 lstrcatW 563->570 564->561 568 405b3d-405b40 564->568 565->563 565->564 571 405b42-405b48 568->571 572 405b4a-405b52 call 4065fd 568->572 573 405a4a-405a4e 569->573 570->573 571->561 572->561 579 405b54-405b68 call 405b8f call 405984 572->579 577 405a50-405a58 573->577 578 405a5a-405a60 lstrcatW 573->578 577->578 580 405a65-405a81 lstrlenW FindFirstFileW 577->580 578->580 596 405b80-405b83 call 405322 579->596 597 405b6a-405b6d 579->597 581 405a87-405a8f 580->581 582 405b2b-405b2f 580->582 584 405a91-405a99 581->584 585 405aaf-405ac3 call 4062ba 581->585 582->564 587 405b31 582->587 588 405a9b-405aa3 584->588 589 405b0e-405b1e FindNextFileW 584->589 598 405ac5-405acd 585->598 599 405ada-405ae5 call 405984 585->599 587->564 588->585 592 405aa5-405aad 588->592 589->581 595 405b24-405b25 FindClose 589->595 592->585 592->589 595->582 596->561 597->571 600 405b6f-405b7e call 405322 call 406080 597->600 598->589 601 405acf-405ad3 call 4059cc 598->601 609 405b06-405b09 call 405322 599->609 610 405ae7-405aea 599->610 600->561 608 405ad8 601->608 608->589 609->589 613 405aec-405afc call 405322 call 406080 610->613 614 405afe-405b04 610->614 613->589 614->589
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,004DF000,74DF3420,00000000), ref: 004059F5
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,?,?,004DF000,74DF3420,00000000), ref: 00405A3D
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,?,?,004DF000,74DF3420,00000000), ref: 00405A60
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,?,?,004DF000,74DF3420,00000000), ref: 00405A66
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*,?,?,004DF000,74DF3420,00000000), ref: 00405A76
                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\7z-out\resources\node_modules\regedit\vbs\*.*$\*.*
                                                                                                                                                                                                    • API String ID: 2035342205-4192134101
                                                                                                                                                                                                    • Opcode ID: 381ae1539308b0fff5c23660480c7799636f68814d34eb948432fba1f876741c
                                                                                                                                                                                                    • Instruction ID: 3baa02bdf70247edfb0f680676f8bffda79515ede8bd61e7e13478a9eee65f3b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 381ae1539308b0fff5c23660480c7799636f68814d34eb948432fba1f876741c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E141D430900914AACB21AB618C89ABF7778EF45369F10427FF801711D1D77CAD81DE6E
                                                                                                                                                                                                    Function 004065FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(004DF000,00468298,C:\,00405CE0,C:\,C:\,00000000,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00406608
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00406614
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                                    • Opcode ID: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                                    • Instruction ID: 086872f0bf6ffc0fec3bf9e050170664210a11ef237051a194e92f35cf11c1a2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52D012315455205BC7001B386E0C85B7B599F553317158F37F46AF51E0DB758C62869D
                                                                                                                                                                                                    Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                                                                                    • Opcode ID: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                                    • Instruction ID: 6590b0d0bd135a94e5278e34c2007f8374f9804fe0c2ec815525577e7f77d17f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44
                                                                                                                                                                                                    Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 188 403d58-403d6a 189 403d70-403d76 188->189 190 403eab-403eba 188->190 189->190 191 403d7c-403d85 189->191 192 403f09-403f1e 190->192 193 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 190->193 197 403d87-403d94 SetWindowPos 191->197 198 403d9a-403d9d 191->198 195 403f20-403f23 192->195 196 403f5e-403f63 call 40427d 192->196 193->192 202 403f25-403f30 call 401389 195->202 203 403f56-403f58 195->203 210 403f68-403f83 196->210 197->198 199 403db7-403dbd 198->199 200 403d9f-403db1 ShowWindow 198->200 205 403dd9-403ddc 199->205 206 403dbf-403dd4 DestroyWindow 199->206 200->199 202->203 224 403f32-403f51 SendMessageW 202->224 203->196 209 4041fe 203->209 214 403dde-403dea SetWindowLongW 205->214 215 403def-403df5 205->215 211 4041db-4041e1 206->211 213 404200-404207 209->213 217 403f85-403f87 call 40140b 210->217 218 403f8c-403f92 210->218 211->209 219 4041e3-4041e9 211->219 214->213 222 403e98-403ea6 call 404298 215->222 223 403dfb-403e0c GetDlgItem 215->223 217->218 220 403f98-403fa3 218->220 221 4041bc-4041d5 DestroyWindow EndDialog 218->221 219->209 226 4041eb-4041f4 ShowWindow 219->226 220->221 227 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 220->227 221->211 222->213 228 403e2b-403e2e 223->228 229 403e0e-403e25 SendMessageW IsWindowEnabled 223->229 224->213 226->209 258 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 227->258 259 403ff8-403ffd 227->259 232 403e30-403e31 228->232 233 403e33-403e36 228->233 229->209 229->228 236 403e61-403e66 call 40420a 232->236 237 403e44-403e49 233->237 238 403e38-403e3e 233->238 236->222 242 403e7f-403e92 SendMessageW 237->242 243 403e4b-403e51 237->243 241 403e40-403e42 238->241 238->242 241->236 242->222 246 403e53-403e59 call 40140b 243->246 247 403e68-403e71 call 40140b 243->247 254 403e5f 246->254 247->222 256 403e73-403e7d 247->256 254->236 256->254 262 404041 258->262 263 40403e-40403f 258->263 259->258 264 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 262->264 263->264 265 404073-404084 SendMessageW 264->265 266 404086 264->266 267 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 265->267 266->267 267->210 278 4040d1-4040d3 267->278 278->210 279 4040d9-4040dd 278->279 280 4040fc-404110 DestroyWindow 279->280 281 4040df-4040e5 279->281 280->211 283 404116-404143 CreateDialogParamW 280->283 281->209 282 4040eb-4040f1 281->282 282->210 284 4040f7 282->284 283->211 285 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 283->285 284->209 285->209 290 4041a2-4041b5 ShowWindow call 40427d 285->290 292 4041ba 290->292 292->211
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00450248,?,00450248,00000000), ref: 004040A6
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,00450248), ref: 004040BA
                                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3282139019-0
                                                                                                                                                                                                    • Opcode ID: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                                    • Instruction ID: ebd8885eb79f40fe398f9982bcc50e4b60f6275a3dc5f5776bcae5bce4ead0d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AFC1D5B1500304ABDB206F61EE88E2B3A78FB95346F00053EF645B51F1CB799891DB6E
                                                                                                                                                                                                    Function 004039AA Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 352 4039aa-4039c2 call 406694 355 4039c4-4039d4 call 406201 352->355 356 4039d6-403a0d call 406188 352->356 364 403a30-403a59 call 403c80 call 405c97 355->364 360 403a25-403a2b lstrcatW 356->360 361 403a0f-403a20 call 406188 356->361 360->364 361->360 370 403aeb-403af3 call 405c97 364->370 371 403a5f-403a64 364->371 377 403b01-403b26 LoadImageW 370->377 378 403af5-403afc call 4062dc 370->378 371->370 372 403a6a-403a92 call 406188 371->372 372->370 382 403a94-403a98 372->382 380 403ba7-403baf call 40140b 377->380 381 403b28-403b58 RegisterClassW 377->381 378->377 395 403bb1-403bb4 380->395 396 403bb9-403bc4 call 403c80 380->396 383 403c76 381->383 384 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 381->384 386 403aaa-403ab6 lstrlenW 382->386 387 403a9a-403aa7 call 405bbc 382->387 389 403c78-403c7f 383->389 384->380 390 403ab8-403ac6 lstrcmpiW 386->390 391 403ade-403ae6 call 405b8f call 4062ba 386->391 387->386 390->391 394 403ac8-403ad2 GetFileAttributesW 390->394 391->370 398 403ad4-403ad6 394->398 399 403ad8-403ad9 call 405bdb 394->399 395->389 405 403bca-403be4 ShowWindow call 406624 396->405 406 403c4d-403c4e call 4053f5 396->406 398->391 398->399 399->391 413 403bf0-403c02 GetClassInfoW 405->413 414 403be6-403beb call 406624 405->414 409 403c53-403c55 406->409 411 403c57-403c5d 409->411 412 403c6f-403c71 call 40140b 409->412 411->395 417 403c63-403c6a call 40140b 411->417 412->383 415 403c04-403c14 GetClassInfoW RegisterClassW 413->415 416 403c1a-403c3d DialogBoxParamW call 40140b 413->416 414->413 415->416 422 403c42-403c4b call 4038fa 416->422 417->395 422->389
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                    • lstrcatW.KERNEL32(004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000,74DF3420,004CB000,00000000), ref: 00403A2B
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Delete on reboot: ,?,?,?,Delete on reboot: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000), ref: 00403AAB
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Delete on reboot: ,?,?,?,Delete on reboot: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000), ref: 00403ABE
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Delete on reboot: ), ref: 00403AC9
                                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004CF000), ref: 00403B12
                                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                                    • RegisterClassW.USER32(00472E80), ref: 00403B4F
                                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00472E80), ref: 00403BFE
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00472E80), ref: 00403C0B
                                                                                                                                                                                                    • RegisterClassW.USER32(00472E80), ref: 00403C14
                                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$Delete on reboot: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                    • API String ID: 1975747703-2967253400
                                                                                                                                                                                                    • Opcode ID: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                                    • Instruction ID: e946f9b6b947081a315c1f95bc525aa973ad4f651662e5f5477bf26fdb3bf1de
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B361C8302407007ED720AF669E45E2B3A6CEB8474AF40417FF985B51E2DBBD5951CB2E
                                                                                                                                                                                                    Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 426 4062dc-4062e7 427 4062e9-4062f8 426->427 428 4062fa-406310 426->428 427->428 429 406316-406323 428->429 430 406528-40652e 428->430 429->430 431 406329-406330 429->431 432 406534-40653f 430->432 433 406335-406342 430->433 431->430 435 406541-406545 call 4062ba 432->435 436 40654a-40654b 432->436 433->432 434 406348-406354 433->434 437 406515 434->437 438 40635a-406398 434->438 435->436 442 406523-406526 437->442 443 406517-406521 437->443 440 4064b8-4064bc 438->440 441 40639e-4063a9 438->441 446 4064be-4064c4 440->446 447 4064ef-4064f3 440->447 444 4063c2 441->444 445 4063ab-4063b0 441->445 442->430 443->430 453 4063c9-4063d0 444->453 445->444 450 4063b2-4063b5 445->450 451 4064d4-4064e0 call 4062ba 446->451 452 4064c6-4064d2 call 406201 446->452 448 406502-406513 lstrlenW 447->448 449 4064f5-4064fd call 4062dc 447->449 448->430 449->448 450->444 455 4063b7-4063ba 450->455 464 4064e5-4064eb 451->464 452->464 457 4063d2-4063d4 453->457 458 4063d5-4063d7 453->458 455->444 460 4063bc-4063c0 455->460 457->458 462 406412-406415 458->462 463 4063d9-4063f7 call 406188 458->463 460->453 466 406425-406428 462->466 467 406417-406423 GetSystemDirectoryW 462->467 469 4063fc-406400 463->469 464->448 465 4064ed 464->465 470 4064b0-4064b6 call 40654e 465->470 472 406493-406495 466->472 473 40642a-406438 GetWindowsDirectoryW 466->473 471 406497-40649b 467->471 474 4064a0-4064a3 469->474 475 406406-40640d call 4062dc 469->475 470->448 471->470 477 40649d 471->477 472->471 476 40643a-406444 472->476 473->472 474->470 480 4064a5-4064ab lstrcatW 474->480 475->471 482 406446-406449 476->482 483 40645e-406474 SHGetSpecialFolderLocation 476->483 477->474 480->470 482->483 485 40644b-406452 482->485 486 406476-40648d SHGetPathFromIDListW CoTaskMemFree 483->486 487 40648f 483->487 488 40645a-40645c 485->488 486->471 486->487 487->472 488->471 488->483
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Delete on reboot: ,00002000), ref: 0040641D
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Delete on reboot: ,00002000,00000000,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,?,00405359,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000), ref: 00406430
                                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405359,0042F1FB,00000000,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,?,00405359,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000), ref: 0040646C
                                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(0042F1FB,Delete on reboot: ), ref: 0040647A
                                                                                                                                                                                                    • CoTaskMemFree.OLE32(0042F1FB), ref: 00406485
                                                                                                                                                                                                    • lstrcatW.KERNEL32(Delete on reboot: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Delete on reboot: ,00000000,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,?,00405359,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000), ref: 00406503
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                    • String ID: Delete on reboot: $Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                    • API String ID: 717251189-3774463367
                                                                                                                                                                                                    • Opcode ID: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                                    • Instruction ID: deb4280fb9253f119c0dee44fead77f8699473dbe43bed35a1e393a154a8df3c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87612371A00115AADF209F64DC44BAE37A5EF45318F22803FE907B62D0D77D9AA1C75E
                                                                                                                                                                                                    Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 489 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 492 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 489->492 493 402f2d-402f32 489->493 501 403052-403060 call 402e79 492->501 502 402f6b 492->502 494 40310f-403113 493->494 508 403062-403065 501->508 509 4030b5-4030ba 501->509 504 402f70-402f87 502->504 506 402f89 504->506 507 402f8b-402f94 call 403331 504->507 506->507 516 402f9a-402fa1 507->516 517 4030bc-4030c4 call 402e79 507->517 511 403067-40307f call 403347 call 403331 508->511 512 403089-4030b3 GlobalAlloc call 403347 call 403116 508->512 509->494 511->509 539 403081-403087 511->539 512->509 538 4030c6-4030d7 512->538 521 402fa3-402fb7 call 405d6b 516->521 522 40301d-403021 516->522 517->509 528 40302b-403031 521->528 536 402fb9-402fc0 521->536 527 403023-40302a call 402e79 522->527 522->528 527->528 529 403040-40304a 528->529 530 403033-40303d call 406787 528->530 529->504 537 403050 529->537 530->529 536->528 542 402fc2-402fc9 536->542 537->501 543 4030d9 538->543 544 4030df-4030e4 538->544 539->509 539->512 542->528 545 402fcb-402fd2 542->545 543->544 546 4030e5-4030eb 544->546 545->528 547 402fd4-402fdb 545->547 546->546 548 4030ed-403108 SetFilePointer call 405d6b 546->548 547->528 549 402fdd-402ffd 547->549 552 40310d 548->552 549->509 551 403003-403007 549->551 553 403009-40300d 551->553 554 40300f-403017 551->554 552->494 553->537 553->554 554->528 555 403019-40301b 554->555 555->528
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004E7000,00002000,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004EB000,00000000,004D7000,004D7000,004E7000,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Inst, xrefs: 00402FC2
                                                                                                                                                                                                    • Error launching installer, xrefs: 00402F2D
                                                                                                                                                                                                    • Null, xrefs: 00402FD4
                                                                                                                                                                                                    • soft, xrefs: 00402FCB
                                                                                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                    • API String ID: 4283519449-527102705
                                                                                                                                                                                                    • Opcode ID: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
                                                                                                                                                                                                    • Instruction ID: d807cc789e5c0b6659aec278a7977cb1897ccc82e3fedab9e592eb30a9b28e48
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23511671901205ABDB20AF61DD85B9F7FACEB0431AF20403BF914B62D5C7789E818B9D
                                                                                                                                                                                                    Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 620 40176f-401794 call 402c41 call 405c06 625 401796-40179c call 4062ba 620->625 626 40179e-4017b0 call 4062ba call 405b8f lstrcatW 620->626 631 4017b5-4017b6 call 40654e 625->631 626->631 635 4017bb-4017bf 631->635 636 4017c1-4017cb call 4065fd 635->636 637 4017f2-4017f5 635->637 644 4017dd-4017ef 636->644 645 4017cd-4017db CompareFileTime 636->645 638 4017f7-4017f8 call 405d8b 637->638 639 4017fd-401819 call 405db0 637->639 638->639 647 40181b-40181e 639->647 648 40188d-4018b6 call 405322 call 403116 639->648 644->637 645->644 649 401820-40185e call 4062ba * 2 call 4062dc call 4062ba call 405920 647->649 650 40186f-401879 call 405322 647->650 660 4018b8-4018bc 648->660 661 4018be-4018ca SetFileTime 648->661 649->635 682 401864-401865 649->682 662 401882-401888 650->662 660->661 664 4018d0-4018db CloseHandle 660->664 661->664 665 402ace 662->665 669 4018e1-4018e4 664->669 670 402ac5-402ac8 664->670 667 402ad0-402ad4 665->667 672 4018e6-4018f7 call 4062dc lstrcatW 669->672 673 4018f9-4018fc call 4062dc 669->673 670->665 679 401901-4022fc call 405920 672->679 673->679 679->667 679->670 682->662 684 401867-401868 682->684 684->650
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,ExecShellAsUser,004D3000,?,?,00000031), ref: 004017B0
                                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,ExecShellAsUser,ExecShellAsUser,00000000,00000000,ExecShellAsUser,004D3000,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,0040327A,0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0), ref: 0040537D
                                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\), ref: 0040538F
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll$ExecShellAsUser
                                                                                                                                                                                                    • API String ID: 1941528284-2052723519
                                                                                                                                                                                                    • Opcode ID: 84cc1ef8d08a74648e49299eefb5f22073aa957ae4a4092afed5da839c45f715
                                                                                                                                                                                                    • Instruction ID: c6e8234c1d4b6e0ef99598e998ad36802638a9a190aaa2bd7459f070bf199d51
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84cc1ef8d08a74648e49299eefb5f22073aa957ae4a4092afed5da839c45f715
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9841B471900514BACF107BA5CD45DAF3A79EF05368F20423FF422B10E1DA3C86919A6E
                                                                                                                                                                                                    Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 686 406624-406644 GetSystemDirectoryW 687 406646 686->687 688 406648-40664a 686->688 687->688 689 40665b-40665d 688->689 690 40664c-406655 688->690 692 40665e-406691 wsprintfW LoadLibraryExW 689->692 690->689 691 406657-406659 690->691 691->692
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                                    • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                    • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                                                                                    Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 693 403116-40312d 694 403136-40313f 693->694 695 40312f 693->695 696 403141 694->696 697 403148-40314d 694->697 695->694 696->697 698 40315d-40316a call 403331 697->698 699 40314f-403158 call 403347 697->699 703 403170-403174 698->703 704 40331f 698->704 699->698 705 4032ca-4032cc 703->705 706 40317a-4031c3 GetTickCount 703->706 707 403321-403322 704->707 708 40330c-40330f 705->708 709 4032ce-4032d1 705->709 710 403327 706->710 711 4031c9-4031d1 706->711 712 40332a-40332e 707->712 713 403311 708->713 714 403314-40331d call 403331 708->714 709->710 715 4032d3 709->715 710->712 716 4031d3 711->716 717 4031d6-4031e4 call 403331 711->717 713->714 714->704 726 403324 714->726 719 4032d6-4032dc 715->719 716->717 717->704 725 4031ea-4031f3 717->725 723 4032e0-4032ee call 403331 719->723 724 4032de 719->724 723->704 730 4032f0-4032f5 call 405e62 723->730 724->723 728 4031f9-403219 call 4067f5 725->728 726->710 735 4032c2-4032c4 728->735 736 40321f-403232 GetTickCount 728->736 734 4032fa-4032fc 730->734 737 4032c6-4032c8 734->737 738 4032fe-403308 734->738 735->707 739 403234-40323c 736->739 740 40327d-40327f 736->740 737->707 738->719 741 40330a 738->741 742 403244-40327a MulDiv wsprintfW call 405322 739->742 743 40323e-403242 739->743 744 403281-403285 740->744 745 4032b6-4032ba 740->745 741->710 742->740 743->740 743->742 748 403287-40328e call 405e62 744->748 749 40329c-4032a7 744->749 745->711 746 4032c0 745->746 746->710 754 403293-403295 748->754 750 4032aa-4032ae 749->750 750->728 753 4032b4 750->753 753->710 754->737 755 403297-40329a 754->755 755->750
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                                    • String ID: ... %d%%
                                                                                                                                                                                                    • API String ID: 551687249-2449383134
                                                                                                                                                                                                    • Opcode ID: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                                    • Instruction ID: f437ad28db75119c3a693f92e670aa5c34007c7df9fe8e0debaece40423bbb79
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D517D71900219DBDB10DF66EA44AAE7BB8AB04356F54417FEC14B72C0CB388A51CBA9
                                                                                                                                                                                                    Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 756 401c1f-401c3f call 402c1f * 2 761 401c41-401c48 call 402c41 756->761 762 401c4b-401c4f 756->762 761->762 764 401c51-401c58 call 402c41 762->764 765 401c5b-401c61 762->765 764->765 768 401c63-401c7f call 402c1f * 2 765->768 769 401caf-401cd9 call 402c41 * 2 FindWindowExW 765->769 779 401c81-401c9d SendMessageTimeoutW 768->779 780 401c9f-401cad SendMessageW 768->780 781 401cdf 769->781 782 401ce2-401ce5 779->782 780->781 781->782 783 402ac5-402ad4 782->783 784 401ceb 782->784 784->783
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                                    • Opcode ID: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                                    • Instruction ID: 1af55e8da281c8781352e9764615226c40e2312ccaecb42dabcb88ef8baddf82
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889809B19
                                                                                                                                                                                                    Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 787 4023e4-402415 call 402c41 * 2 call 402cd1 794 402ac5-402ad4 787->794 795 40241b-402425 787->795 797 402427-402434 call 402c41 lstrlenW 795->797 798 402438-40243b 795->798 797->798 801 40243d-40244e call 402c1f 798->801 802 40244f-402452 798->802 801->802 805 402463-402477 RegSetValueExW 802->805 806 402454-40245e call 403116 802->806 809 402479 805->809 810 40247c-40255d RegCloseKey 805->810 806->805 809->810 810->794
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp
                                                                                                                                                                                                    • API String ID: 2655323295-2144395985
                                                                                                                                                                                                    • Opcode ID: 1af8095f3c9504d2ce798825688ccba5ec512a5a8ae6ba4a7bc3247cfd6f00f3
                                                                                                                                                                                                    • Instruction ID: a703f9f7a84a81219e2528cb215680d2185ac4e531b753f9c0eacf199e84c27d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1af8095f3c9504d2ce798825688ccba5ec512a5a8ae6ba4a7bc3247cfd6f00f3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF118471D00104BEEB10AFA5DE89EAEBA74AB44754F11803BF504F71D1D7F48D409B29
                                                                                                                                                                                                    Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 812 4057f1-40583c CreateDirectoryW 813 405842-40584f GetLastError 812->813 814 40583e-405840 812->814 815 405869-40586b 813->815 816 405851-405865 SetFileSecurityW 813->816 814->815 816->814 817 405867 GetLastError 816->817 817->815
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                                    • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                                    • Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9
                                                                                                                                                                                                    Function 00405C97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 818 405c97-405cb2 call 4062ba call 405c3a 823 405cb4-405cb6 818->823 824 405cb8-405cc5 call 40654e 818->824 825 405d10-405d12 823->825 828 405cd5-405cd9 824->828 829 405cc7-405ccd 824->829 831 405cef-405cf8 lstrlenW 828->831 829->823 830 405ccf-405cd3 829->830 830->823 830->828 832 405cfa-405d0e call 405b8f GetFileAttributesW 831->832 833 405cdb-405ce2 call 4065fd 831->833 832->825 838 405ce4-405ce7 833->838 839 405ce9-405cea call 405bdb 833->839 838->823 838->839 839->831
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405CF0
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00405D00
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 3248276644-3404278061
                                                                                                                                                                                                    • Opcode ID: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                                    • Instruction ID: 4e01e145a0ed536ad24acc563e8a85444835dd946e40d448b56664b374cc0476
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21F0F43500DF6125F626333A1C45AAF2555CE82328B6A057FFC62B12D2DA3C89539D7E
                                                                                                                                                                                                    Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00004000,00000002,?,00000000,?,?,Delete on reboot: ,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Delete on reboot: ,Delete on reboot: ,Delete on reboot: ,00000000,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\), ref: 004061D9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID: Delete on reboot:
                                                                                                                                                                                                    • API String ID: 3356406503-2410499825
                                                                                                                                                                                                    • Opcode ID: 7e8f2b507172300fff4d18ea8023ba838134d56d13ff8a7450bb17b0ad457722
                                                                                                                                                                                                    • Instruction ID: 8659262355d6ebf2290daf59b07b2549fc881bd87fa0bb5ea6267207f8cb0b09
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e8f2b507172300fff4d18ea8023ba838134d56d13ff8a7450bb17b0ad457722
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68017C72500209EADF218F51DD09EDB3BB8EF55364F01403AFE16A61A1D378DA64EBA4
                                                                                                                                                                                                    Function 00405DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,004CB000,0040338D,004DB000,004DF000,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9), ref: 00405E18
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                                    • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                    • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                                                                                    Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00468250,Error launching installer), ref: 004058CC
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Error launching installer, xrefs: 004058B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                                                                    • Opcode ID: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                                    • Instruction ID: 30392a530fa928b09b8412afc6dc4f2cd20664ca8a9f97139eafb5a2ce14b88a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33E09AB5540609BFEB009B64DD05F7B77ACEB04708F508565BD51F2150EB749C148A79
                                                                                                                                                                                                    Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,0040327A,0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0), ref: 0040537D
                                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\), ref: 0040538F
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                                    • Opcode ID: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                                    • Instruction ID: 3abd81b96889d1c7eb1cceed2e7b5e281284f1a6e6a9a5ff44b88a827c8e1d1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8821B071D00205AACF20AFA5CE48A9E7A70BF04358F60413BF511B11E0DBBD8981DA6E
                                                                                                                                                                                                    Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalFree.KERNEL32(0088E4F8), ref: 00401BE7
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401BF9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFree
                                                                                                                                                                                                    • String ID: ExecShellAsUser
                                                                                                                                                                                                    • API String ID: 3394109436-869331269
                                                                                                                                                                                                    • Opcode ID: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                                    • Instruction ID: 2ffc4b8e8b305263ff1bfe934f744a2e7f0909984677ca7ca3d2d917788d1148
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52210A76600100ABCB10FF95CE8499E73A8EB48318BA4443FF506F32D0DB78A852DB6D
                                                                                                                                                                                                    Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 004065FD: FindFirstFileW.KERNEL32(004DF000,00468298,C:\,00405CE0,C:\,C:\,00000000,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420), ref: 00406608
                                                                                                                                                                                                      • Part of subcall function 004065FD: FindClose.KERNEL32(00000000), ref: 00406614
                                                                                                                                                                                                    • lstrlenW.KERNEL32 ref: 00402299
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00000000), ref: 004022A4
                                                                                                                                                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1486964399-0
                                                                                                                                                                                                    • Opcode ID: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                                    • Instruction ID: edc96df04b91ed766a503f65766f364d086ea8d205cfe5bb15309c141496b913
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57117071900318A6DB10EFF98E4999EB7B8AF04344F50443FB805F72D1D6B8C4419B59
                                                                                                                                                                                                    Function 00405984 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405D8B: GetFileAttributesW.KERNEL32(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                                      • Part of subcall function 00405D8B: SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405B66), ref: 0040599F
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,00405B66), ref: 004059A7
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059BF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1655745494-0
                                                                                                                                                                                                    • Opcode ID: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
                                                                                                                                                                                                    • Instruction ID: 825022a906987a8d14f11fb4079f6fb6242afe5a54bc5f1377d2c32e3c215ab4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 280825f6b60181aa2d378306bbdc3da53de5ab3d89a200e418c4f7b9ea6af3cc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1E0E5B1119F5096D21067349A0CB5B2AA4DF86334F05093AF891F11C0DB3844068EBE
                                                                                                                                                                                                    Function 00406745 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040676B
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                                    • Opcode ID: 8850f1db5c8bafd25532af3e029db14712012aa3b99a83eba6723ce3b95d358e
                                                                                                                                                                                                    • Instruction ID: 2ff090df47ec3168816afe0ece5e8e172b9e43290e206bfe863d37fdb1930cd3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8850f1db5c8bafd25532af3e029db14712012aa3b99a83eba6723ce3b95d358e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58E09231600118BBDB10AF44CD02E9E7B6ADB44744F114037FA01B6191D6B5AE21AAA8
                                                                                                                                                                                                    Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                      • Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,004D3000,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1892508949-0
                                                                                                                                                                                                    • Opcode ID: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                                    • Instruction ID: 536d45c59d08a7b21130d9dbd5b0e10796a041e4a40079992e14d28e29d42f71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2211E231504505EBCF30AFA1CD0159F36A0EF14369B28493BFA45B22F1DB3E8A919B5E
                                                                                                                                                                                                    Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                                    • Opcode ID: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                                    • Instruction ID: 1206e07bb255176646816810ef0290bee69920d7ecde6c9ccbb84b14c6b4306b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E311A771D10205EBDF14DFA4CA585AE77B4EF44348B20843FE505B72C0D6B89A41EB5E
                                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                    • Opcode ID: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                                    • Instruction ID: ea42f58d7670a619ed9131e80823b54190387dbc53765a55c310ef4228f9fff3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF0128316202109BE7095B789E04B2A3798E710315F10463FF855F62F1D6B8CC829B5C
                                                                                                                                                                                                    Function 004053F5 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00405405
                                                                                                                                                                                                      • Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                                    • CoUninitialize.COMBASE(00000404,00000000), ref: 00405451
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2896919175-0
                                                                                                                                                                                                    • Opcode ID: a1f8c397b5266fa352d60afbf9b4c77fa9abc53c67a054b05b22dcb893a39c3f
                                                                                                                                                                                                    • Instruction ID: 7813e2a1ccdf537c56c01956b79198a0443dbd649336f33e6835a7e221d2fb99
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1f8c397b5266fa352d60afbf9b4c77fa9abc53c67a054b05b22dcb893a39c3f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ABF090B25406009BE7015B549D01BAB7760EFD431AF05443EFF89B22E0D77948928E6E
                                                                                                                                                                                                    Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                                                                    • Opcode ID: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                                    • Instruction ID: fc8c1c2e7d4a5a8f9e35cd12a8e681b154a8316ed36a6d041aa31def844ca7e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61E01A72E082008FE724ABA5AA495AD77B4EB90365B20847FE211F11D1DA7858819F6A
                                                                                                                                                                                                    Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                                      • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                                      • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                                      • Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                                    • Opcode ID: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                                    • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                                                                                    Function 00403915 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,004DF000,00000000,74DF3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403936
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1100898210-0
                                                                                                                                                                                                    • Opcode ID: bd7b370b1f223a5589d226506ef49f546026ce3eccc4315b581019b2d362f361
                                                                                                                                                                                                    • Instruction ID: 228f896298dd83b048f64e6024dd5859bf02c68f9830d759f3998b57695c5827
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd7b370b1f223a5589d226506ef49f546026ce3eccc4315b581019b2d362f361
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12E0C2334122205BC6215F04ED08B5A776CAF49B32F15407AFA807B2A087B81C928FC8
                                                                                                                                                                                                    Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                                    • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                    • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                                    Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                    • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                    • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                                                                                    Function 004038D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403703,00000006,?,00000006,00000008,0000000A), ref: 004038DB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nsa8163.tmp\, xrefs: 004038EF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\
                                                                                                                                                                                                    • API String ID: 2962429428-1098170610
                                                                                                                                                                                                    • Opcode ID: 6cd6e50f5f17456ee504dea1d279a22ffa05636b30f87aa31bf8984a95f31d7c
                                                                                                                                                                                                    • Instruction ID: f79f1cdd038f729e9031bf35a7c7ad7adb8aafebcc14ea038f42f7e62efb972e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cd6e50f5f17456ee504dea1d279a22ffa05636b30f87aa31bf8984a95f31d7c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69C0127054070496C1206F759D4F6193E54AB8173BB604776B0B8B10F1C77C4B59595E
                                                                                                                                                                                                    Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00403382,004DF000,004DF000,004DF000,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                                    • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                    • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                                                                                    Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                    • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                    • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                                                                                    Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00428200,?,00428200,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                                    • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                    • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                                                                                    Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                    • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                    • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                                                                                    Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,004061B5,?,00000000,?,?,Delete on reboot: ,?), ref: 0040614B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                    • Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14
                                                                                                                                                                                                    Function 00406080 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MoveFileExW.KERNEL32(?,?,00000005,00405B7E,?,00000000,000000F1,?,?,?,?,?), ref: 0040608A
                                                                                                                                                                                                      • Part of subcall function 00405F06: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                                      • Part of subcall function 00405F06: GetShortPathNameW.KERNEL32(?,004688E8,00000400), ref: 00405F4A
                                                                                                                                                                                                      • Part of subcall function 00405F06: GetShortPathNameW.KERNEL32(?,004690E8,00000400), ref: 00405F67
                                                                                                                                                                                                      • Part of subcall function 00405F06: wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                                      • Part of subcall function 00405F06: GetFileSize.KERNEL32(00000000,00000000,004690E8,C0000000,00000004,004690E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                                      • Part of subcall function 00405F06: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                                      • Part of subcall function 00405F06: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                                      • Part of subcall function 00405F06: SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004684E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1930046112-0
                                                                                                                                                                                                    • Opcode ID: a0a4fc277c167b836c478514f4bee1604d33cb824f5458dd384cc09b2e4e5c73
                                                                                                                                                                                                    • Instruction ID: 90c27e8b518d79db7b79f3353fecf9451eb8ea8c7f58bc67283902775dd808e1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a0a4fc277c167b836c478514f4bee1604d33cb824f5458dd384cc09b2e4e5c73
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FD0C932148201BEDB165B10ED05A1FBBA1FB90355F11D43EF28DA00B0EB3684B4EF0A
                                                                                                                                                                                                    Function 00404231 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040424B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemText
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3367045223-0
                                                                                                                                                                                                    • Opcode ID: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                                    • Instruction ID: 58c8b0ee816a9f079cb4560b894257bfb9dfa06490f5d5235509ae25e2c95a64
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79C04C76148300BFD681BB55CC42F1FB79DEF94315F44C52EB59CA11E2C63A84309B26
                                                                                                                                                                                                    Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                    • Opcode ID: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                                    • Instruction ID: 539d97cecbd0a6245bb22c05259f77f590d4a0b0d5c0f28d123e3a53dcb21da8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6C09BB27403007BDE11CB909E49F1777545790740F18447DB348F51E0D6B4D490D61C
                                                                                                                                                                                                    Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                    • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                    • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                                    Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                    • Opcode ID: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                                    • Instruction ID: 80b1fa8ab317a3fb83bf0bb9afc1fcb2ede285a6b5c9b7890d3d6fe7da01b763
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69B092361C4600AAEE118B50DE49F497A62E7A4702F008138B244640B0CAB200E0DB09
                                                                                                                                                                                                    Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                                                                                    • Opcode ID: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                                    • Instruction ID: 6a6b83ba7992c3eb947fe44f0607646ae594aefa1fc7371f7d6a783f6fb0b7b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EA002754445019BCF015B50DF098057A61F7A4701B114479B5555103596314860EB19
                                                                                                                                                                                                    Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,0040327A,0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0), ref: 0040537D
                                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\), ref: 0040538F
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                      • Part of subcall function 004058A3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00468250,Error launching installer), ref: 004058CC
                                                                                                                                                                                                      • Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                                                                                                                                                                                                      • Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                                                                                                                                                                                                      • Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                                    • Opcode ID: 3aa13868f7f5c1765abe0e1dc298aed27b0d2a36c3fd960b5cd9165ff5b25e78
                                                                                                                                                                                                    • Instruction ID: de14e59f9d228f74b736d218c43509b70c65838e16dc92f6af981b675cb94e68
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3aa13868f7f5c1765abe0e1dc298aed27b0d2a36c3fd960b5cd9165ff5b25e78
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF0F0329090219BDB20FBA1898859E72A49F44318B2441BBF902B20D1CBBC0E509AAE

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                                                                    • Opcode ID: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                                    • Instruction ID: 350e9793ba1948ff1935c4af006ad7833f39553502bf8ecbcf91bc97059cc7bb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C0281B0900209AFDB10DFA4DD85AAE7BB5FB44314F10417AF614BA2E1C7799D92CF58
                                                                                                                                                                                                    Function 00404722 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Delete on reboot: ,00450248,00000000,?,?), ref: 00404889
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Delete on reboot: ), ref: 00404895
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                                                                                      • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00002000,004048DE), ref: 00405917
                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                                      • Part of subcall function 0040654E: CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(00440218,?,?,0000040F,?,00440218,00440218,?,00000001,00440218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                                                                                      • Part of subcall function 00404ADE: lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                                      • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                                      • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: A$Delete on reboot:
                                                                                                                                                                                                    • API String ID: 2624150263-2014378647
                                                                                                                                                                                                    • Opcode ID: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                                    • Instruction ID: aec38ac33e169681c2ce75898e964705c21f391e9d8eef84a8e49708370a7c65
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CA173B1900208ABDB11AFA5CD45AAF77B8EF84314F10847BF605B62D1D77C99418F6D
                                                                                                                                                                                                    Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                                    • Opcode ID: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                                    • Instruction ID: 11d43fc069a5ea90b0fea77c2c23c6da8a8dfc92bb9fdb714ff4c9b8b345b962
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BF08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D909B2A
                                                                                                                                                                                                    Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                    • Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                                                                                    Function 004072EC Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                                    • Instruction ID: 59779062152899835760f0dc2f5c49596223a290c6efd11eddd93cbc7c663e45
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                                                                                    Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                    • String ID: Delete on reboot: $N$gC@
                                                                                                                                                                                                    • API String ID: 3103080414-1763248576
                                                                                                                                                                                                    • Opcode ID: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                                    • Instruction ID: 3402c350d7270d9961c63d8365249516a5ebc70a9ec23ab72cb453283ebd69b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7761BEB1900209BFDB009F60DD85EAA7B69FB85305F00843AF705B62D0D77D9961CF99
                                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                    • DrawTextW.USER32(00000000,00472EE0,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                                    • Opcode ID: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                                    • Instruction ID: 4eb8147a30471c2b969484520d7d1b1c24976f3a1718a772f7b725b3b94c1b26
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C418A71800249AFCF058FA5DE459AF7BB9FF44314F00842AF991AA1A0C778D954DFA4
                                                                                                                                                                                                    Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004688E8,00000400), ref: 00405F4A
                                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004690E8,00000400), ref: 00405F67
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004690E8,C0000000,00000004,004690E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004684E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                                    • Opcode ID: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                                    • Instruction ID: 1ccef14564d3a4e3590f6d96bf23d62cdd24cd7414a0bd79904b9c13782922cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08312530641B05BBC220AB659D48F6B3AACDF45744F15003FFA42F72C2EB7C98118AAD
                                                                                                                                                                                                    Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                                    • lstrcatW.KERNEL32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,0040327A,0040327A,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,00000000,0042F1FB,74DF23A0), ref: 0040537D
                                                                                                                                                                                                    • SetWindowTextW.USER32(Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\,Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\), ref: 0040538F
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                    • String ID: Delete on reboot: C:\Users\user\AppData\Local\Temp\nsa8163.tmp\
                                                                                                                                                                                                    • API String ID: 2531174081-587579473
                                                                                                                                                                                                    • Opcode ID: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                                    • Instruction ID: c4a8b4fbc7344707c8dcd13f789004ac01d88f238d1262f53b2d1dabcf784db2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F21A171900518BBCB11AFA5DD849CFBFB9EF45350F10807AF904B62A0C7B94A80DFA8
                                                                                                                                                                                                    Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                                    • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                    • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                                                                                    Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                                      • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                                    • Opcode ID: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                                    • Instruction ID: 75c70889326ed48cf653b65eedce39ba48716a77e36bbd16e72a3e0392bfe49c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C511975D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB58
                                                                                                                                                                                                    Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                                    • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                    • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                                                                                    Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0041E5D0), ref: 00401E3E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                    • String ID: MS Shell Dlg
                                                                                                                                                                                                    • API String ID: 3808545654-76309092
                                                                                                                                                                                                    • Opcode ID: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                                    • Instruction ID: 2f87ef527a079fcd98b3174ff93e15f92fad6858fb92d4176ae60913c966d855
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A01B575604240BFE700ABF1AE0ABDD7FB5AB55309F10887DF641B61E2DA7840458B2D
                                                                                                                                                                                                    Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                                    • MulDiv.KERNEL32(06399284,00000064,0639E5A0), ref: 00402E3C
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                                    • Opcode ID: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                                    • Instruction ID: dfd142ddc65d39fdaa73b229a9921dc7c235b7e072e3123d651e00bd55f03bcf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60014F7164020CABEF209F60DE49FAE3B69AB44304F008439FA06B51E0DBB895558B98
                                                                                                                                                                                                    Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                                    • Opcode ID: ff87bf99e36aab27b6384dee017154e4bdeff7ac382f3b09721b2446f84e6f42
                                                                                                                                                                                                    • Instruction ID: 85d8fb478e53a7d33050a02afe9876517184a336e4e72b82bbd0c3cba42884f9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff87bf99e36aab27b6384dee017154e4bdeff7ac382f3b09721b2446f84e6f42
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D121AEB1800128BBDF116FA5DE89DDE7E79EF08364F14423AF960762E0CB794C418B98
                                                                                                                                                                                                    Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00004000,?), ref: 10001054
                                                                                                                                                                                                    • EnumWindows.USER32(10001007,?), ref: 10001074
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2716384725.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716339848.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716451099.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2716495364.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3465249596-0
                                                                                                                                                                                                    • Opcode ID: ba2bc8da3a6140de48577a9aba2e14b09a295dc7b85f115a3014824a2a14e04b
                                                                                                                                                                                                    • Instruction ID: a75cb7c18b994dd6f526631e0a7af626cc5939ab073c97fe0f3ca5b5d0fb8a21
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba2bc8da3a6140de48577a9aba2e14b09a295dc7b85f115a3014824a2a14e04b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3811E235A00299EFFB00DFA5CDC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                                                                                                                                                                    Function 0040654E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                                    • CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                                    • CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                                    • String ID: *?|<>/":
                                                                                                                                                                                                    • API String ID: 589700163-165019052
                                                                                                                                                                                                    • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                                    • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                                                                                    Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll,00002000,?,?,00000021), ref: 004025E8
                                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll,?,?,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll,00002000,?,?,00000021), ref: 004025F3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\StdUtils.dll
                                                                                                                                                                                                    • API String ID: 3109718747-160365865
                                                                                                                                                                                                    • Opcode ID: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                                    • Instruction ID: b23dc685b5da5394ac89c8ab13f2cbf985e24fd8d9932a4f5164fd221fdd45c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76110B72A04201BADB146FF18E89A9F76659F44398F204C3FF102F61D1EAFC89415B5D
                                                                                                                                                                                                    Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                                    • Opcode ID: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                                    • Instruction ID: d9fd13ec482603559a9c09f77eb5ae76b99fbdc016b4c624d38ebcad95bf5f4c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28F0FF72A04518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F61A0CA749D519B78
                                                                                                                                                                                                    Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                                    • Opcode ID: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                                    • Instruction ID: 65d6ef813479b3ccfd969ec0db039784a4d8c6b5967a53089d3579ec78c560c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 401193736041282ADB00656D9C45F9E369C9B85334F25423BFA65F21D1E979D82582E8
                                                                                                                                                                                                    Function 00405C3A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,004DF000,?,74DF3420,004059EC,?,004DF000,74DF3420,00000000), ref: 00405C48
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                                    • Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                                                                                                                                                    • Instruction ID: 75375947fb2108fa8988f35f37760ff259c71c6e50658764317197b9124938a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DAF0BB61908F1199FB3177644C49E7B66BCDB55350B04853FD641B71C0D7F84C818BD9
                                                                                                                                                                                                    Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                                                                    • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                                                                                    • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                                                                                    Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                                    • Opcode ID: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                                    • Instruction ID: 9c0cd9c85579b1f1539786df4f617efd254904ce91a486f6a135d178cfad0ab8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AF05E30485630EBD6506B20FE0CACB7BA5FB84B41B0149BAF005B11E4D7B85880CBDC
                                                                                                                                                                                                    Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                                                                                      • Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                                    • Opcode ID: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                                    • Instruction ID: 334c9fee3abb3f39d596823d3a3537c7effd0098edc8ca0b3d981ed7cb288a41
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9015A31100709ABEB205F51DD94A9B3B26EB84795F20507AFA007A1D1D7BA9C919E2E
                                                                                                                                                                                                    Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2711482284.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711426756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711538993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2711598682.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2712365706.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                                    • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                    • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:23.5%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                    Total number of Nodes:1343
                                                                                                                                                                                                    Total number of Limit Nodes:25
                                                                                                                                                                                                    execution_graph 2914 401941 2915 401943 2914->2915 2920 402da6 2915->2920 2921 402db2 2920->2921 2962 40657a 2921->2962 2924 401948 2926 405c49 2924->2926 3004 405f14 2926->3004 2929 405c71 DeleteFileW 2960 401951 2929->2960 2930 405c88 2931 405da8 2930->2931 3018 40653d lstrcpynW 2930->3018 2931->2960 3047 406873 FindFirstFileW 2931->3047 2933 405cae 2934 405cc1 2933->2934 2935 405cb4 lstrcatW 2933->2935 3019 405e58 lstrlenW 2934->3019 2937 405cc7 2935->2937 2939 405cd7 lstrcatW 2937->2939 2941 405ce2 lstrlenW FindFirstFileW 2937->2941 2939->2941 2941->2931 2953 405d04 2941->2953 2944 405d8b FindNextFileW 2948 405da1 FindClose 2944->2948 2944->2953 2945 405c01 5 API calls 2947 405de3 2945->2947 2949 405de7 2947->2949 2950 405dfd 2947->2950 2948->2931 2954 40559f 24 API calls 2949->2954 2949->2960 2952 40559f 24 API calls 2950->2952 2952->2960 2953->2944 2955 405c49 60 API calls 2953->2955 2957 40559f 24 API calls 2953->2957 3023 40653d lstrcpynW 2953->3023 3024 405c01 2953->3024 3032 40559f 2953->3032 3043 4062fd MoveFileExW 2953->3043 2956 405df4 2954->2956 2955->2953 2958 4062fd 36 API calls 2956->2958 2957->2944 2958->2960 2966 406587 2962->2966 2963 4067aa 2964 402dd3 2963->2964 2995 40653d lstrcpynW 2963->2995 2964->2924 2979 4067c4 2964->2979 2966->2963 2967 406778 lstrlenW 2966->2967 2970 40657a 10 API calls 2966->2970 2971 40668f GetSystemDirectoryW 2966->2971 2973 4066a2 GetWindowsDirectoryW 2966->2973 2974 406719 lstrcatW 2966->2974 2975 40657a 10 API calls 2966->2975 2976 4067c4 5 API calls 2966->2976 2977 4066d1 SHGetSpecialFolderLocation 2966->2977 2988 40640b 2966->2988 2993 406484 wsprintfW 2966->2993 2994 40653d lstrcpynW 2966->2994 2967->2966 2970->2967 2971->2966 2973->2966 2974->2966 2975->2966 2976->2966 2977->2966 2978 4066e9 SHGetPathFromIDListW CoTaskMemFree 2977->2978 2978->2966 2985 4067d1 2979->2985 2980 406847 2981 40684c CharPrevW 2980->2981 2983 40686d 2980->2983 2981->2980 2982 40683a CharNextW 2982->2980 2982->2985 2983->2924 2985->2980 2985->2982 2986 406826 CharNextW 2985->2986 2987 406835 CharNextW 2985->2987 3000 405e39 2985->3000 2986->2985 2987->2982 2996 4063aa 2988->2996 2991 40646f 2991->2966 2992 40643f RegQueryValueExW RegCloseKey 2992->2991 2993->2966 2994->2966 2995->2964 2997 4063b9 2996->2997 2998 4063c2 RegOpenKeyExW 2997->2998 2999 4063bd 2997->2999 2998->2999 2999->2991 2999->2992 3001 405e3f 3000->3001 3002 405e55 3001->3002 3003 405e46 CharNextW 3001->3003 3002->2985 3003->3001 3053 40653d lstrcpynW 3004->3053 3006 405f25 3054 405eb7 CharNextW CharNextW 3006->3054 3009 405c69 3009->2929 3009->2930 3010 4067c4 5 API calls 3016 405f3b 3010->3016 3011 405f6c lstrlenW 3012 405f77 3011->3012 3011->3016 3014 405e0c 3 API calls 3012->3014 3013 406873 2 API calls 3013->3016 3015 405f7c GetFileAttributesW 3014->3015 3015->3009 3016->3009 3016->3011 3016->3013 3017 405e58 2 API calls 3016->3017 3017->3011 3018->2933 3020 405e66 3019->3020 3021 405e78 3020->3021 3022 405e6c CharPrevW 3020->3022 3021->2937 3022->3020 3022->3021 3023->2953 3060 406008 GetFileAttributesW 3024->3060 3027 405c2e 3027->2953 3028 405c24 DeleteFileW 3030 405c2a 3028->3030 3029 405c1c RemoveDirectoryW 3029->3030 3030->3027 3031 405c3a SetFileAttributesW 3030->3031 3031->3027 3033 4055ba 3032->3033 3042 40565c 3032->3042 3034 4055d6 lstrlenW 3033->3034 3035 40657a 17 API calls 3033->3035 3036 4055e4 lstrlenW 3034->3036 3037 4055ff 3034->3037 3035->3034 3038 4055f6 lstrcatW 3036->3038 3036->3042 3039 405612 3037->3039 3040 405605 SetWindowTextW 3037->3040 3038->3037 3041 405618 SendMessageW SendMessageW SendMessageW 3039->3041 3039->3042 3040->3039 3041->3042 3042->2953 3044 40631e 3043->3044 3045 406311 3043->3045 3044->2953 3063 406183 3045->3063 3048 405dcd 3047->3048 3049 406889 FindClose 3047->3049 3048->2960 3050 405e0c lstrlenW CharPrevW 3048->3050 3049->3048 3051 405dd7 3050->3051 3052 405e28 lstrcatW 3050->3052 3051->2945 3052->3051 3053->3006 3055 405ed4 3054->3055 3058 405ee6 3054->3058 3057 405ee1 CharNextW 3055->3057 3055->3058 3056 405f0a 3056->3009 3056->3010 3057->3056 3058->3056 3059 405e39 CharNextW 3058->3059 3059->3058 3061 405c0d 3060->3061 3062 40601a SetFileAttributesW 3060->3062 3061->3027 3061->3028 3061->3029 3062->3061 3064 4061b3 3063->3064 3065 4061d9 GetShortPathNameW 3063->3065 3090 40602d GetFileAttributesW CreateFileW 3064->3090 3067 4062f8 3065->3067 3068 4061ee 3065->3068 3067->3044 3068->3067 3070 4061f6 wsprintfA 3068->3070 3069 4061bd CloseHandle GetShortPathNameW 3069->3067 3071 4061d1 3069->3071 3072 40657a 17 API calls 3070->3072 3071->3065 3071->3067 3073 40621e 3072->3073 3091 40602d GetFileAttributesW CreateFileW 3073->3091 3075 40622b 3075->3067 3076 40623a GetFileSize GlobalAlloc 3075->3076 3077 4062f1 CloseHandle 3076->3077 3078 40625c 3076->3078 3077->3067 3092 4060b0 ReadFile 3078->3092 3083 40627b lstrcpyA 3086 40629d 3083->3086 3084 40628f 3085 405f92 4 API calls 3084->3085 3085->3086 3087 4062d4 SetFilePointer 3086->3087 3099 4060df WriteFile 3087->3099 3090->3069 3091->3075 3093 4060ce 3092->3093 3093->3077 3094 405f92 lstrlenA 3093->3094 3095 405fd3 lstrlenA 3094->3095 3096 405fdb 3095->3096 3097 405fac lstrcmpiA 3095->3097 3096->3083 3096->3084 3097->3096 3098 405fca CharNextA 3097->3098 3098->3095 3100 4060fd GlobalFree 3099->3100 3100->3077 3101 4015c1 3102 402da6 17 API calls 3101->3102 3103 4015c8 3102->3103 3104 405eb7 4 API calls 3103->3104 3118 4015d1 3104->3118 3105 401631 3107 401663 3105->3107 3108 401636 3105->3108 3106 405e39 CharNextW 3106->3118 3110 401423 24 API calls 3107->3110 3128 401423 3108->3128 3117 40165b 3110->3117 3115 40164a SetCurrentDirectoryW 3115->3117 3116 401617 GetFileAttributesW 3116->3118 3118->3105 3118->3106 3118->3116 3120 405b08 3118->3120 3123 405a6e CreateDirectoryW 3118->3123 3132 405aeb CreateDirectoryW 3118->3132 3135 40690a GetModuleHandleA 3120->3135 3124 405abb 3123->3124 3125 405abf GetLastError 3123->3125 3124->3118 3125->3124 3126 405ace SetFileSecurityW 3125->3126 3126->3124 3127 405ae4 GetLastError 3126->3127 3127->3124 3129 40559f 24 API calls 3128->3129 3130 401431 3129->3130 3131 40653d lstrcpynW 3130->3131 3131->3115 3133 405afb 3132->3133 3134 405aff GetLastError 3132->3134 3133->3118 3134->3133 3136 406930 GetProcAddress 3135->3136 3137 406926 3135->3137 3139 405b0f 3136->3139 3141 40689a GetSystemDirectoryW 3137->3141 3139->3118 3140 40692c 3140->3136 3140->3139 3142 4068bc wsprintfW LoadLibraryExW 3141->3142 3142->3140 3684 404943 3685 404953 3684->3685 3686 404979 3684->3686 3691 404499 3685->3691 3694 404500 3686->3694 3690 404960 SetDlgItemTextW 3690->3686 3692 40657a 17 API calls 3691->3692 3693 4044a4 SetDlgItemTextW 3692->3693 3693->3690 3695 4045c3 3694->3695 3696 404518 GetWindowLongW 3694->3696 3696->3695 3697 40452d 3696->3697 3697->3695 3698 40455a GetSysColor 3697->3698 3699 40455d 3697->3699 3698->3699 3700 404563 SetTextColor 3699->3700 3701 40456d SetBkMode 3699->3701 3700->3701 3702 404585 GetSysColor 3701->3702 3703 40458b 3701->3703 3702->3703 3704 404592 SetBkColor 3703->3704 3705 40459c 3703->3705 3704->3705 3705->3695 3706 4045b6 CreateBrushIndirect 3705->3706 3707 4045af DeleteObject 3705->3707 3706->3695 3707->3706 3708 401c43 3709 402d84 17 API calls 3708->3709 3710 401c4a 3709->3710 3711 402d84 17 API calls 3710->3711 3712 401c57 3711->3712 3713 401c6c 3712->3713 3714 402da6 17 API calls 3712->3714 3715 402da6 17 API calls 3713->3715 3719 401c7c 3713->3719 3714->3713 3715->3719 3716 401cd3 3718 402da6 17 API calls 3716->3718 3717 401c87 3720 402d84 17 API calls 3717->3720 3722 401cd8 3718->3722 3719->3716 3719->3717 3721 401c8c 3720->3721 3723 402d84 17 API calls 3721->3723 3724 402da6 17 API calls 3722->3724 3725 401c98 3723->3725 3726 401ce1 FindWindowExW 3724->3726 3727 401cc3 SendMessageW 3725->3727 3728 401ca5 SendMessageTimeoutW 3725->3728 3729 401d03 3726->3729 3727->3729 3728->3729 3730 4028c4 3731 4028ca 3730->3731 3732 4028d2 FindClose 3731->3732 3733 402c2a 3731->3733 3732->3733 3737 4016cc 3738 402da6 17 API calls 3737->3738 3739 4016d2 GetFullPathNameW 3738->3739 3740 4016ec 3739->3740 3746 40170e 3739->3746 3743 406873 2 API calls 3740->3743 3740->3746 3741 401723 GetShortPathNameW 3742 402c2a 3741->3742 3744 4016fe 3743->3744 3744->3746 3747 40653d lstrcpynW 3744->3747 3746->3741 3746->3742 3747->3746 3748 401e4e GetDC 3749 402d84 17 API calls 3748->3749 3750 401e60 GetDeviceCaps MulDiv ReleaseDC 3749->3750 3751 402d84 17 API calls 3750->3751 3752 401e91 3751->3752 3753 40657a 17 API calls 3752->3753 3754 401ece CreateFontIndirectW 3753->3754 3755 402638 3754->3755 3756 4045cf lstrcpynW lstrlenW 3757 402950 3758 402da6 17 API calls 3757->3758 3760 40295c 3758->3760 3759 402972 3762 406008 2 API calls 3759->3762 3760->3759 3761 402da6 17 API calls 3760->3761 3761->3759 3763 402978 3762->3763 3785 40602d GetFileAttributesW CreateFileW 3763->3785 3765 402985 3766 402a3b 3765->3766 3767 4029a0 GlobalAlloc 3765->3767 3768 402a23 3765->3768 3769 402a42 DeleteFileW 3766->3769 3770 402a55 3766->3770 3767->3768 3771 4029b9 3767->3771 3772 4032b4 31 API calls 3768->3772 3769->3770 3786 4034e5 SetFilePointer 3771->3786 3774 402a30 CloseHandle 3772->3774 3774->3766 3775 4029bf 3776 4034cf ReadFile 3775->3776 3777 4029c8 GlobalAlloc 3776->3777 3778 4029d8 3777->3778 3779 402a0c 3777->3779 3780 4032b4 31 API calls 3778->3780 3781 4060df WriteFile 3779->3781 3784 4029e5 3780->3784 3782 402a18 GlobalFree 3781->3782 3782->3768 3783 402a03 GlobalFree 3783->3779 3784->3783 3785->3765 3786->3775 3787 401956 3788 402da6 17 API calls 3787->3788 3789 40195d lstrlenW 3788->3789 3790 402638 3789->3790 3607 4014d7 3608 402d84 17 API calls 3607->3608 3609 4014dd Sleep 3608->3609 3611 402c2a 3609->3611 3612 4020d8 3613 4020ea 3612->3613 3623 40219c 3612->3623 3614 402da6 17 API calls 3613->3614 3616 4020f1 3614->3616 3615 401423 24 API calls 3621 4022f6 3615->3621 3617 402da6 17 API calls 3616->3617 3618 4020fa 3617->3618 3619 402110 LoadLibraryExW 3618->3619 3620 402102 GetModuleHandleW 3618->3620 3622 402121 3619->3622 3619->3623 3620->3619 3620->3622 3632 406979 3622->3632 3623->3615 3626 402132 3629 401423 24 API calls 3626->3629 3630 402142 3626->3630 3627 40216b 3628 40559f 24 API calls 3627->3628 3628->3630 3629->3630 3630->3621 3631 40218e FreeLibrary 3630->3631 3631->3621 3637 40655f WideCharToMultiByte 3632->3637 3634 406996 3635 40699d GetProcAddress 3634->3635 3636 40212c 3634->3636 3635->3636 3636->3626 3636->3627 3637->3634 3791 404658 3792 404670 3791->3792 3798 40478a 3791->3798 3799 404499 18 API calls 3792->3799 3793 4047f4 3794 4048be 3793->3794 3795 4047fe GetDlgItem 3793->3795 3800 404500 8 API calls 3794->3800 3796 404818 3795->3796 3797 40487f 3795->3797 3796->3797 3804 40483e SendMessageW LoadCursorW SetCursor 3796->3804 3797->3794 3805 404891 3797->3805 3798->3793 3798->3794 3801 4047c5 GetDlgItem SendMessageW 3798->3801 3802 4046d7 3799->3802 3803 4048b9 3800->3803 3824 4044bb EnableWindow 3801->3824 3807 404499 18 API calls 3802->3807 3828 404907 3804->3828 3810 4048a7 3805->3810 3811 404897 SendMessageW 3805->3811 3808 4046e4 CheckDlgButton 3807->3808 3822 4044bb EnableWindow 3808->3822 3810->3803 3815 4048ad SendMessageW 3810->3815 3811->3810 3812 4047ef 3825 4048e3 3812->3825 3815->3803 3817 404702 GetDlgItem 3823 4044ce SendMessageW 3817->3823 3819 404718 SendMessageW 3820 404735 GetSysColor 3819->3820 3821 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3819->3821 3820->3821 3821->3803 3822->3817 3823->3819 3824->3812 3826 4048f1 3825->3826 3827 4048f6 SendMessageW 3825->3827 3826->3827 3827->3793 3831 405b63 ShellExecuteExW 3828->3831 3830 40486d LoadCursorW SetCursor 3830->3797 3831->3830 3832 402b59 3833 402b60 3832->3833 3834 402bab 3832->3834 3837 402d84 17 API calls 3833->3837 3840 402ba9 3833->3840 3835 40690a 5 API calls 3834->3835 3836 402bb2 3835->3836 3838 402da6 17 API calls 3836->3838 3839 402b6e 3837->3839 3841 402bbb 3838->3841 3842 402d84 17 API calls 3839->3842 3841->3840 3843 402bbf IIDFromString 3841->3843 3845 402b7a 3842->3845 3843->3840 3844 402bce 3843->3844 3844->3840 3850 40653d lstrcpynW 3844->3850 3849 406484 wsprintfW 3845->3849 3848 402beb CoTaskMemFree 3848->3840 3849->3840 3850->3848 3661 40175c 3662 402da6 17 API calls 3661->3662 3663 401763 3662->3663 3664 40605c 2 API calls 3663->3664 3665 40176a 3664->3665 3666 40605c 2 API calls 3665->3666 3666->3665 3851 401d5d 3852 402d84 17 API calls 3851->3852 3853 401d6e SetWindowLongW 3852->3853 3854 402c2a 3853->3854 3667 4028de 3668 4028e6 3667->3668 3669 4028ea FindNextFileW 3668->3669 3672 4028fc 3668->3672 3670 402943 3669->3670 3669->3672 3673 40653d lstrcpynW 3670->3673 3673->3672 3855 4056de 3856 405888 3855->3856 3857 4056ff GetDlgItem GetDlgItem GetDlgItem 3855->3857 3858 405891 GetDlgItem CreateThread CloseHandle 3856->3858 3859 4058b9 3856->3859 3900 4044ce SendMessageW 3857->3900 3858->3859 3862 4058e4 3859->3862 3863 4058d0 ShowWindow ShowWindow 3859->3863 3864 405909 3859->3864 3861 40576f 3866 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3861->3866 3865 405944 3862->3865 3868 4058f8 3862->3868 3869 40591e ShowWindow 3862->3869 3902 4044ce SendMessageW 3863->3902 3870 404500 8 API calls 3864->3870 3865->3864 3873 405952 SendMessageW 3865->3873 3871 4057e4 3866->3871 3872 4057c8 SendMessageW SendMessageW 3866->3872 3903 404472 3868->3903 3876 405930 3869->3876 3877 40593e 3869->3877 3875 405917 3870->3875 3879 4057f7 3871->3879 3880 4057e9 SendMessageW 3871->3880 3872->3871 3873->3875 3881 40596b CreatePopupMenu 3873->3881 3882 40559f 24 API calls 3876->3882 3878 404472 SendMessageW 3877->3878 3878->3865 3884 404499 18 API calls 3879->3884 3880->3879 3883 40657a 17 API calls 3881->3883 3882->3877 3885 40597b AppendMenuW 3883->3885 3886 405807 3884->3886 3887 405998 GetWindowRect 3885->3887 3888 4059ab TrackPopupMenu 3885->3888 3889 405810 ShowWindow 3886->3889 3890 405844 GetDlgItem SendMessageW 3886->3890 3887->3888 3888->3875 3891 4059c6 3888->3891 3892 405833 3889->3892 3893 405826 ShowWindow 3889->3893 3890->3875 3894 40586b SendMessageW SendMessageW 3890->3894 3895 4059e2 SendMessageW 3891->3895 3901 4044ce SendMessageW 3892->3901 3893->3892 3894->3875 3895->3895 3896 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3895->3896 3898 405a24 SendMessageW 3896->3898 3898->3898 3899 405a4d GlobalUnlock SetClipboardData CloseClipboard 3898->3899 3899->3875 3900->3861 3901->3890 3902->3862 3904 404479 3903->3904 3905 40447f SendMessageW 3903->3905 3904->3905 3905->3864 3906 404ce0 3907 404cf0 3906->3907 3908 404d0c 3906->3908 3917 405b81 GetDlgItemTextW 3907->3917 3910 404d12 SHGetPathFromIDListW 3908->3910 3911 404d3f 3908->3911 3913 404d22 3910->3913 3916 404d29 SendMessageW 3910->3916 3912 404cfd SendMessageW 3912->3908 3915 40140b 2 API calls 3913->3915 3915->3916 3916->3911 3917->3912 3918 401563 3919 402ba4 3918->3919 3922 406484 wsprintfW 3919->3922 3921 402ba9 3922->3921 3923 401968 3924 402d84 17 API calls 3923->3924 3925 40196f 3924->3925 3926 402d84 17 API calls 3925->3926 3927 40197c 3926->3927 3928 402da6 17 API calls 3927->3928 3929 401993 lstrlenW 3928->3929 3930 4019a4 3929->3930 3934 4019e5 3930->3934 3935 40653d lstrcpynW 3930->3935 3932 4019d5 3933 4019da lstrlenW 3932->3933 3932->3934 3933->3934 3935->3932 3936 40166a 3937 402da6 17 API calls 3936->3937 3938 401670 3937->3938 3939 406873 2 API calls 3938->3939 3940 401676 3939->3940 3941 402aeb 3942 402d84 17 API calls 3941->3942 3943 402af1 3942->3943 3944 40657a 17 API calls 3943->3944 3945 40292e 3943->3945 3944->3945 3946 4026ec 3947 402d84 17 API calls 3946->3947 3954 4026fb 3947->3954 3948 402838 3949 402745 ReadFile 3949->3948 3949->3954 3950 4060b0 ReadFile 3950->3954 3951 402785 MultiByteToWideChar 3951->3954 3952 40283a 3968 406484 wsprintfW 3952->3968 3954->3948 3954->3949 3954->3950 3954->3951 3954->3952 3956 4027ab SetFilePointer MultiByteToWideChar 3954->3956 3958 40284b 3954->3958 3959 40610e SetFilePointer 3954->3959 3956->3954 3957 40286c SetFilePointer 3957->3948 3958->3948 3958->3957 3960 40612a 3959->3960 3963 406142 3959->3963 3961 4060b0 ReadFile 3960->3961 3962 406136 3961->3962 3962->3963 3964 406173 SetFilePointer 3962->3964 3965 40614b SetFilePointer 3962->3965 3963->3954 3964->3963 3965->3964 3966 406156 3965->3966 3967 4060df WriteFile 3966->3967 3967->3963 3968->3948 3516 40176f 3517 402da6 17 API calls 3516->3517 3518 401776 3517->3518 3519 401796 3518->3519 3520 40179e 3518->3520 3555 40653d lstrcpynW 3519->3555 3556 40653d lstrcpynW 3520->3556 3523 40179c 3527 4067c4 5 API calls 3523->3527 3524 4017a9 3525 405e0c 3 API calls 3524->3525 3526 4017af lstrcatW 3525->3526 3526->3523 3544 4017bb 3527->3544 3528 406873 2 API calls 3528->3544 3529 406008 2 API calls 3529->3544 3531 4017cd CompareFileTime 3531->3544 3532 40188d 3534 40559f 24 API calls 3532->3534 3533 401864 3535 40559f 24 API calls 3533->3535 3539 401879 3533->3539 3537 401897 3534->3537 3535->3539 3536 40653d lstrcpynW 3536->3544 3538 4032b4 31 API calls 3537->3538 3540 4018aa 3538->3540 3541 4018be SetFileTime 3540->3541 3542 4018d0 CloseHandle 3540->3542 3541->3542 3542->3539 3545 4018e1 3542->3545 3543 40657a 17 API calls 3543->3544 3544->3528 3544->3529 3544->3531 3544->3532 3544->3533 3544->3536 3544->3543 3550 405b9d MessageBoxIndirectW 3544->3550 3554 40602d GetFileAttributesW CreateFileW 3544->3554 3546 4018e6 3545->3546 3547 4018f9 3545->3547 3548 40657a 17 API calls 3546->3548 3549 40657a 17 API calls 3547->3549 3551 4018ee lstrcatW 3548->3551 3552 401901 3549->3552 3550->3544 3551->3552 3553 405b9d MessageBoxIndirectW 3552->3553 3553->3539 3554->3544 3555->3523 3556->3524 3969 401a72 3970 402d84 17 API calls 3969->3970 3971 401a7b 3970->3971 3972 402d84 17 API calls 3971->3972 3973 401a20 3972->3973 3974 401573 3975 401583 ShowWindow 3974->3975 3976 40158c 3974->3976 3975->3976 3977 402c2a 3976->3977 3978 40159a ShowWindow 3976->3978 3978->3977 3979 4023f4 3980 402da6 17 API calls 3979->3980 3981 402403 3980->3981 3982 402da6 17 API calls 3981->3982 3983 40240c 3982->3983 3984 402da6 17 API calls 3983->3984 3985 402416 GetPrivateProfileStringW 3984->3985 3986 4014f5 SetForegroundWindow 3987 402c2a 3986->3987 3988 401ff6 3989 402da6 17 API calls 3988->3989 3990 401ffd 3989->3990 3991 406873 2 API calls 3990->3991 3992 402003 3991->3992 3994 402014 3992->3994 3995 406484 wsprintfW 3992->3995 3995->3994 3996 401b77 3997 402da6 17 API calls 3996->3997 3998 401b7e 3997->3998 3999 402d84 17 API calls 3998->3999 4000 401b87 wsprintfW 3999->4000 4001 402c2a 4000->4001 4002 40167b 4003 402da6 17 API calls 4002->4003 4004 401682 4003->4004 4005 402da6 17 API calls 4004->4005 4006 40168b 4005->4006 4007 402da6 17 API calls 4006->4007 4008 401694 MoveFileW 4007->4008 4009 4016a7 4008->4009 4015 4016a0 4008->4015 4011 406873 2 API calls 4009->4011 4013 4022f6 4009->4013 4010 401423 24 API calls 4010->4013 4012 4016b6 4011->4012 4012->4013 4014 4062fd 36 API calls 4012->4014 4014->4015 4015->4010 4016 4019ff 4017 402da6 17 API calls 4016->4017 4018 401a06 4017->4018 4019 402da6 17 API calls 4018->4019 4020 401a0f 4019->4020 4021 401a16 lstrcmpiW 4020->4021 4022 401a28 lstrcmpW 4020->4022 4023 401a1c 4021->4023 4022->4023 4024 4022ff 4025 402da6 17 API calls 4024->4025 4026 402305 4025->4026 4027 402da6 17 API calls 4026->4027 4028 40230e 4027->4028 4029 402da6 17 API calls 4028->4029 4030 402317 4029->4030 4031 406873 2 API calls 4030->4031 4032 402320 4031->4032 4033 402331 lstrlenW lstrlenW 4032->4033 4037 402324 4032->4037 4035 40559f 24 API calls 4033->4035 4034 40559f 24 API calls 4038 40232c 4034->4038 4036 40236f SHFileOperationW 4035->4036 4036->4037 4036->4038 4037->4034 4037->4038 4039 401000 4040 401037 BeginPaint GetClientRect 4039->4040 4041 40100c DefWindowProcW 4039->4041 4043 4010f3 4040->4043 4046 401179 4041->4046 4044 401073 CreateBrushIndirect FillRect DeleteObject 4043->4044 4045 4010fc 4043->4045 4044->4043 4047 401102 CreateFontIndirectW 4045->4047 4048 401167 EndPaint 4045->4048 4047->4048 4049 401112 6 API calls 4047->4049 4048->4046 4049->4048 4050 401d81 4051 401d94 GetDlgItem 4050->4051 4052 401d87 4050->4052 4054 401d8e 4051->4054 4053 402d84 17 API calls 4052->4053 4053->4054 4056 402da6 17 API calls 4054->4056 4058 401dd5 GetClientRect LoadImageW SendMessageW 4054->4058 4056->4058 4057 401e33 4059 401e38 DeleteObject 4057->4059 4060 401e3f 4057->4060 4058->4057 4058->4060 4059->4060 4061 401503 4062 40150b 4061->4062 4064 40151e 4061->4064 4063 402d84 17 API calls 4062->4063 4063->4064 4065 402383 4066 40238a 4065->4066 4069 40239d 4065->4069 4067 40657a 17 API calls 4066->4067 4068 402397 4067->4068 4070 405b9d MessageBoxIndirectW 4068->4070 4070->4069 4071 402c05 SendMessageW 4072 402c2a 4071->4072 4073 402c1f InvalidateRect 4071->4073 4073->4072 4074 404f06 GetDlgItem GetDlgItem 4075 404f58 7 API calls 4074->4075 4081 40517d 4074->4081 4076 404ff2 SendMessageW 4075->4076 4077 404fff DeleteObject 4075->4077 4076->4077 4078 405008 4077->4078 4079 40503f 4078->4079 4082 40657a 17 API calls 4078->4082 4083 404499 18 API calls 4079->4083 4080 40525f 4084 40530b 4080->4084 4094 4052b8 SendMessageW 4080->4094 4114 405170 4080->4114 4081->4080 4085 4051ec 4081->4085 4128 404e54 SendMessageW 4081->4128 4088 405021 SendMessageW SendMessageW 4082->4088 4089 405053 4083->4089 4086 405315 SendMessageW 4084->4086 4087 40531d 4084->4087 4085->4080 4090 405251 SendMessageW 4085->4090 4086->4087 4096 405336 4087->4096 4097 40532f ImageList_Destroy 4087->4097 4112 405346 4087->4112 4088->4078 4093 404499 18 API calls 4089->4093 4090->4080 4091 404500 8 API calls 4095 40550c 4091->4095 4107 405064 4093->4107 4099 4052cd SendMessageW 4094->4099 4094->4114 4100 40533f GlobalFree 4096->4100 4096->4112 4097->4096 4098 4054c0 4103 4054d2 ShowWindow GetDlgItem ShowWindow 4098->4103 4098->4114 4102 4052e0 4099->4102 4100->4112 4101 40513f GetWindowLongW SetWindowLongW 4104 405158 4101->4104 4113 4052f1 SendMessageW 4102->4113 4103->4114 4105 405175 4104->4105 4106 40515d ShowWindow 4104->4106 4127 4044ce SendMessageW 4105->4127 4126 4044ce SendMessageW 4106->4126 4107->4101 4108 40513a 4107->4108 4111 4050b7 SendMessageW 4107->4111 4115 4050f5 SendMessageW 4107->4115 4116 405109 SendMessageW 4107->4116 4108->4101 4108->4104 4111->4107 4112->4098 4119 405381 4112->4119 4133 404ed4 4112->4133 4113->4084 4114->4091 4115->4107 4116->4107 4118 40548b 4120 405496 InvalidateRect 4118->4120 4123 4054a2 4118->4123 4121 4053af SendMessageW 4119->4121 4122 4053c5 4119->4122 4120->4123 4121->4122 4122->4118 4124 405439 SendMessageW SendMessageW 4122->4124 4123->4098 4142 404e0f 4123->4142 4124->4122 4126->4114 4127->4081 4129 404eb3 SendMessageW 4128->4129 4130 404e77 GetMessagePos ScreenToClient SendMessageW 4128->4130 4132 404eab 4129->4132 4131 404eb0 4130->4131 4130->4132 4131->4129 4132->4085 4145 40653d lstrcpynW 4133->4145 4135 404ee7 4146 406484 wsprintfW 4135->4146 4137 404ef1 4138 40140b 2 API calls 4137->4138 4139 404efa 4138->4139 4147 40653d lstrcpynW 4139->4147 4141 404f01 4141->4119 4148 404d46 4142->4148 4144 404e24 4144->4098 4145->4135 4146->4137 4147->4141 4149 404d5f 4148->4149 4150 40657a 17 API calls 4149->4150 4151 404dc3 4150->4151 4152 40657a 17 API calls 4151->4152 4153 404dce 4152->4153 4154 40657a 17 API calls 4153->4154 4155 404de4 lstrlenW wsprintfW SetDlgItemTextW 4154->4155 4155->4144 3170 401389 3172 401390 3170->3172 3171 4013fe 3172->3171 3173 4013cb MulDiv SendMessageW 3172->3173 3173->3172 4156 404609 lstrlenW 4157 404628 4156->4157 4158 40462a WideCharToMultiByte 4156->4158 4157->4158 3174 40248a 3175 402da6 17 API calls 3174->3175 3176 40249c 3175->3176 3177 402da6 17 API calls 3176->3177 3178 4024a6 3177->3178 3191 402e36 3178->3191 3181 40292e 3182 4024de 3184 4024ea 3182->3184 3195 402d84 3182->3195 3183 402da6 17 API calls 3186 4024d4 lstrlenW 3183->3186 3185 402509 RegSetValueExW 3184->3185 3198 4032b4 3184->3198 3189 40251f RegCloseKey 3185->3189 3186->3182 3189->3181 3192 402e51 3191->3192 3218 4063d8 3192->3218 3196 40657a 17 API calls 3195->3196 3197 402d99 3196->3197 3197->3184 3199 4032cd 3198->3199 3200 4032fb 3199->3200 3225 4034e5 SetFilePointer 3199->3225 3222 4034cf 3200->3222 3204 403468 3206 4034aa 3204->3206 3211 40346c 3204->3211 3205 403318 GetTickCount 3212 403452 3205->3212 3217 403367 3205->3217 3208 4034cf ReadFile 3206->3208 3207 4034cf ReadFile 3207->3217 3208->3212 3209 4034cf ReadFile 3209->3211 3210 4060df WriteFile 3210->3211 3211->3209 3211->3210 3211->3212 3212->3185 3213 4033bd GetTickCount 3213->3217 3214 4033e2 MulDiv wsprintfW 3215 40559f 24 API calls 3214->3215 3215->3217 3216 4060df WriteFile 3216->3217 3217->3207 3217->3212 3217->3213 3217->3214 3217->3216 3219 4063e7 3218->3219 3220 4063f2 RegCreateKeyExW 3219->3220 3221 4024b6 3219->3221 3220->3221 3221->3181 3221->3182 3221->3183 3223 4060b0 ReadFile 3222->3223 3224 403306 3223->3224 3224->3204 3224->3205 3224->3212 3225->3200 4159 40498a 4160 4049b6 4159->4160 4161 4049c7 4159->4161 4220 405b81 GetDlgItemTextW 4160->4220 4163 4049d3 GetDlgItem 4161->4163 4168 404a32 4161->4168 4166 4049e7 4163->4166 4164 404b16 4218 404cc5 4164->4218 4222 405b81 GetDlgItemTextW 4164->4222 4165 4049c1 4167 4067c4 5 API calls 4165->4167 4170 4049fb SetWindowTextW 4166->4170 4171 405eb7 4 API calls 4166->4171 4167->4161 4168->4164 4172 40657a 17 API calls 4168->4172 4168->4218 4174 404499 18 API calls 4170->4174 4176 4049f1 4171->4176 4177 404aa6 SHBrowseForFolderW 4172->4177 4173 404b46 4178 405f14 18 API calls 4173->4178 4179 404a17 4174->4179 4175 404500 8 API calls 4180 404cd9 4175->4180 4176->4170 4184 405e0c 3 API calls 4176->4184 4177->4164 4181 404abe CoTaskMemFree 4177->4181 4182 404b4c 4178->4182 4183 404499 18 API calls 4179->4183 4185 405e0c 3 API calls 4181->4185 4223 40653d lstrcpynW 4182->4223 4186 404a25 4183->4186 4184->4170 4187 404acb 4185->4187 4221 4044ce SendMessageW 4186->4221 4190 404b02 SetDlgItemTextW 4187->4190 4195 40657a 17 API calls 4187->4195 4190->4164 4191 404a2b 4193 40690a 5 API calls 4191->4193 4192 404b63 4194 40690a 5 API calls 4192->4194 4193->4168 4202 404b6a 4194->4202 4196 404aea lstrcmpiW 4195->4196 4196->4190 4199 404afb lstrcatW 4196->4199 4197 404bab 4224 40653d lstrcpynW 4197->4224 4199->4190 4200 404bb2 4201 405eb7 4 API calls 4200->4201 4203 404bb8 GetDiskFreeSpaceW 4201->4203 4202->4197 4205 405e58 2 API calls 4202->4205 4207 404c03 4202->4207 4206 404bdc MulDiv 4203->4206 4203->4207 4205->4202 4206->4207 4208 404c74 4207->4208 4210 404e0f 20 API calls 4207->4210 4209 404c97 4208->4209 4211 40140b 2 API calls 4208->4211 4225 4044bb EnableWindow 4209->4225 4212 404c61 4210->4212 4211->4209 4214 404c76 SetDlgItemTextW 4212->4214 4215 404c66 4212->4215 4214->4208 4217 404d46 20 API calls 4215->4217 4216 404cb3 4216->4218 4219 4048e3 SendMessageW 4216->4219 4217->4208 4218->4175 4219->4218 4220->4165 4221->4191 4222->4173 4223->4192 4224->4200 4225->4216 3259 40290b 3260 402da6 17 API calls 3259->3260 3261 402912 FindFirstFileW 3260->3261 3262 40293a 3261->3262 3266 402925 3261->3266 3267 406484 wsprintfW 3262->3267 3264 402943 3268 40653d lstrcpynW 3264->3268 3267->3264 3268->3266 4226 40190c 4227 401943 4226->4227 4228 402da6 17 API calls 4227->4228 4229 401948 4228->4229 4230 405c49 67 API calls 4229->4230 4231 401951 4230->4231 4232 40190f 4233 402da6 17 API calls 4232->4233 4234 401916 4233->4234 4235 405b9d MessageBoxIndirectW 4234->4235 4236 40191f 4235->4236 3557 402891 3558 402898 3557->3558 3560 402ba9 3557->3560 3559 402d84 17 API calls 3558->3559 3561 40289f 3559->3561 3562 4028ae SetFilePointer 3561->3562 3562->3560 3563 4028be 3562->3563 3565 406484 wsprintfW 3563->3565 3565->3560 4237 401491 4238 40559f 24 API calls 4237->4238 4239 401498 4238->4239 3566 403b12 3567 403b2a 3566->3567 3568 403b1c CloseHandle 3566->3568 3573 403b57 3567->3573 3568->3567 3571 405c49 67 API calls 3572 403b3b 3571->3572 3575 403b65 3573->3575 3574 403b2f 3574->3571 3575->3574 3576 403b6a FreeLibrary GlobalFree 3575->3576 3576->3574 3576->3576 4240 401f12 4241 402da6 17 API calls 4240->4241 4242 401f18 4241->4242 4243 402da6 17 API calls 4242->4243 4244 401f21 4243->4244 4245 402da6 17 API calls 4244->4245 4246 401f2a 4245->4246 4247 402da6 17 API calls 4246->4247 4248 401f33 4247->4248 4249 401423 24 API calls 4248->4249 4250 401f3a 4249->4250 4257 405b63 ShellExecuteExW 4250->4257 4252 401f82 4253 40292e 4252->4253 4254 4069b5 5 API calls 4252->4254 4255 401f9f CloseHandle 4254->4255 4255->4253 4257->4252 4258 405513 4259 405523 4258->4259 4260 405537 4258->4260 4261 405580 4259->4261 4262 405529 4259->4262 4263 40553f IsWindowVisible 4260->4263 4269 405556 4260->4269 4264 405585 CallWindowProcW 4261->4264 4265 4044e5 SendMessageW 4262->4265 4263->4261 4266 40554c 4263->4266 4267 405533 4264->4267 4265->4267 4268 404e54 5 API calls 4266->4268 4268->4269 4269->4264 4270 404ed4 4 API calls 4269->4270 4270->4261 4271 402f93 4272 402fa5 SetTimer 4271->4272 4273 402fbe 4271->4273 4272->4273 4274 403013 4273->4274 4275 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4273->4275 4275->4274 4276 401d17 4277 402d84 17 API calls 4276->4277 4278 401d1d IsWindow 4277->4278 4279 401a20 4278->4279 4280 403f9a 4281 403fb2 4280->4281 4282 404113 4280->4282 4281->4282 4283 403fbe 4281->4283 4284 404164 4282->4284 4285 404124 GetDlgItem GetDlgItem 4282->4285 4286 403fc9 SetWindowPos 4283->4286 4287 403fdc 4283->4287 4289 4041be 4284->4289 4300 401389 2 API calls 4284->4300 4288 404499 18 API calls 4285->4288 4286->4287 4291 403fe5 ShowWindow 4287->4291 4292 404027 4287->4292 4293 40414e SetClassLongW 4288->4293 4290 4044e5 SendMessageW 4289->4290 4294 40410e 4289->4294 4322 4041d0 4290->4322 4295 4040d1 4291->4295 4296 404005 GetWindowLongW 4291->4296 4297 404046 4292->4297 4298 40402f DestroyWindow 4292->4298 4299 40140b 2 API calls 4293->4299 4301 404500 8 API calls 4295->4301 4296->4295 4302 40401e ShowWindow 4296->4302 4304 40404b SetWindowLongW 4297->4304 4305 40405c 4297->4305 4303 404422 4298->4303 4299->4284 4306 404196 4300->4306 4301->4294 4302->4292 4303->4294 4311 404453 ShowWindow 4303->4311 4304->4294 4305->4295 4310 404068 GetDlgItem 4305->4310 4306->4289 4307 40419a SendMessageW 4306->4307 4307->4294 4308 40140b 2 API calls 4308->4322 4309 404424 DestroyWindow EndDialog 4309->4303 4312 404096 4310->4312 4313 404079 SendMessageW IsWindowEnabled 4310->4313 4311->4294 4315 4040a3 4312->4315 4316 4040ea SendMessageW 4312->4316 4317 4040b6 4312->4317 4325 40409b 4312->4325 4313->4294 4313->4312 4314 40657a 17 API calls 4314->4322 4315->4316 4315->4325 4316->4295 4320 4040d3 4317->4320 4321 4040be 4317->4321 4318 404472 SendMessageW 4318->4295 4319 404499 18 API calls 4319->4322 4324 40140b 2 API calls 4320->4324 4323 40140b 2 API calls 4321->4323 4322->4294 4322->4308 4322->4309 4322->4314 4322->4319 4326 404499 18 API calls 4322->4326 4342 404364 DestroyWindow 4322->4342 4323->4325 4324->4325 4325->4295 4325->4318 4327 40424b GetDlgItem 4326->4327 4328 404260 4327->4328 4329 404268 ShowWindow EnableWindow 4327->4329 4328->4329 4351 4044bb EnableWindow 4329->4351 4331 404292 EnableWindow 4336 4042a6 4331->4336 4332 4042ab GetSystemMenu EnableMenuItem SendMessageW 4333 4042db SendMessageW 4332->4333 4332->4336 4333->4336 4335 403f7b 18 API calls 4335->4336 4336->4332 4336->4335 4352 4044ce SendMessageW 4336->4352 4353 40653d lstrcpynW 4336->4353 4338 40430a lstrlenW 4339 40657a 17 API calls 4338->4339 4340 404320 SetWindowTextW 4339->4340 4341 401389 2 API calls 4340->4341 4341->4322 4342->4303 4343 40437e CreateDialogParamW 4342->4343 4343->4303 4344 4043b1 4343->4344 4345 404499 18 API calls 4344->4345 4346 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4345->4346 4347 401389 2 API calls 4346->4347 4348 404402 4347->4348 4348->4294 4349 40440a ShowWindow 4348->4349 4350 4044e5 SendMessageW 4349->4350 4350->4303 4351->4331 4352->4336 4353->4338 3638 401b9b 3639 401ba8 3638->3639 3640 401bec 3638->3640 3643 401c31 3639->3643 3648 401bbf 3639->3648 3641 401bf1 3640->3641 3642 401c16 GlobalAlloc 3640->3642 3656 40239d 3641->3656 3659 40653d lstrcpynW 3641->3659 3645 40657a 17 API calls 3642->3645 3644 40657a 17 API calls 3643->3644 3643->3656 3646 402397 3644->3646 3645->3643 3652 405b9d MessageBoxIndirectW 3646->3652 3657 40653d lstrcpynW 3648->3657 3650 401c03 GlobalFree 3650->3656 3651 401bce 3658 40653d lstrcpynW 3651->3658 3652->3656 3654 401bdd 3660 40653d lstrcpynW 3654->3660 3657->3651 3658->3654 3659->3650 3660->3656 4354 40261c 4355 402da6 17 API calls 4354->4355 4356 402623 4355->4356 4359 40602d GetFileAttributesW CreateFileW 4356->4359 4358 40262f 4359->4358 3674 40259e 3675 402de6 17 API calls 3674->3675 3676 4025a8 3675->3676 3677 402d84 17 API calls 3676->3677 3678 4025b1 3677->3678 3679 4025d9 RegEnumValueW 3678->3679 3680 4025cd RegEnumKeyW 3678->3680 3682 40292e 3678->3682 3681 4025ee RegCloseKey 3679->3681 3680->3681 3681->3682 4360 40149e 4361 4014ac PostQuitMessage 4360->4361 4362 40239d 4360->4362 4361->4362 4363 4015a3 4364 402da6 17 API calls 4363->4364 4365 4015aa SetFileAttributesW 4364->4365 4366 4015bc 4365->4366 3144 401fa4 3145 402da6 17 API calls 3144->3145 3146 401faa 3145->3146 3147 40559f 24 API calls 3146->3147 3148 401fb4 3147->3148 3157 405b20 CreateProcessW 3148->3157 3153 40292e 3154 401fcf 3156 401fdd CloseHandle 3154->3156 3165 406484 wsprintfW 3154->3165 3156->3153 3158 405b53 CloseHandle 3157->3158 3159 401fba 3157->3159 3158->3159 3159->3153 3159->3156 3160 4069b5 WaitForSingleObject 3159->3160 3161 4069cf 3160->3161 3162 4069e1 GetExitCodeProcess 3161->3162 3166 406946 3161->3166 3162->3154 3165->3156 3167 406963 PeekMessageW 3166->3167 3168 406973 WaitForSingleObject 3167->3168 3169 406959 DispatchMessageW 3167->3169 3168->3161 3169->3167 3226 40252a 3237 402de6 3226->3237 3229 402da6 17 API calls 3230 40253d 3229->3230 3231 402548 RegQueryValueExW 3230->3231 3236 40292e 3230->3236 3232 40256e RegCloseKey 3231->3232 3233 402568 3231->3233 3232->3236 3233->3232 3242 406484 wsprintfW 3233->3242 3238 402da6 17 API calls 3237->3238 3239 402dfd 3238->3239 3240 4063aa RegOpenKeyExW 3239->3240 3241 402534 3240->3241 3241->3229 3242->3232 3243 4021aa 3244 402da6 17 API calls 3243->3244 3245 4021b1 3244->3245 3246 402da6 17 API calls 3245->3246 3247 4021bb 3246->3247 3248 402da6 17 API calls 3247->3248 3249 4021c5 3248->3249 3250 402da6 17 API calls 3249->3250 3251 4021cf 3250->3251 3252 402da6 17 API calls 3251->3252 3253 4021d9 3252->3253 3254 402218 CoCreateInstance 3253->3254 3255 402da6 17 API calls 3253->3255 3258 402237 3254->3258 3255->3254 3256 401423 24 API calls 3257 4022f6 3256->3257 3258->3256 3258->3257 4367 40202a 4368 402da6 17 API calls 4367->4368 4369 402031 4368->4369 4370 40690a 5 API calls 4369->4370 4371 402040 4370->4371 4372 40205c GlobalAlloc 4371->4372 4375 4020cc 4371->4375 4373 402070 4372->4373 4372->4375 4374 40690a 5 API calls 4373->4374 4376 402077 4374->4376 4377 40690a 5 API calls 4376->4377 4378 402081 4377->4378 4378->4375 4382 406484 wsprintfW 4378->4382 4380 4020ba 4383 406484 wsprintfW 4380->4383 4382->4380 4383->4375 4384 403baa 4385 403bb5 4384->4385 4386 403bbc GlobalAlloc 4385->4386 4387 403bb9 4385->4387 4386->4387 3269 40352d SetErrorMode GetVersionExW 3270 4035b7 3269->3270 3271 40357f GetVersionExW 3269->3271 3272 403610 3270->3272 3273 40690a 5 API calls 3270->3273 3271->3270 3274 40689a 3 API calls 3272->3274 3273->3272 3275 403626 lstrlenA 3274->3275 3275->3272 3276 403636 3275->3276 3277 40690a 5 API calls 3276->3277 3278 40363d 3277->3278 3279 40690a 5 API calls 3278->3279 3280 403644 3279->3280 3281 40690a 5 API calls 3280->3281 3285 403650 #17 OleInitialize SHGetFileInfoW 3281->3285 3284 40369d GetCommandLineW 3360 40653d lstrcpynW 3284->3360 3359 40653d lstrcpynW 3285->3359 3287 4036af 3288 405e39 CharNextW 3287->3288 3289 4036d5 CharNextW 3288->3289 3301 4036e6 3289->3301 3290 4037e4 3291 4037f8 GetTempPathW 3290->3291 3361 4034fc 3291->3361 3293 403810 3295 403814 GetWindowsDirectoryW lstrcatW 3293->3295 3296 40386a DeleteFileW 3293->3296 3294 405e39 CharNextW 3294->3301 3297 4034fc 12 API calls 3295->3297 3371 40307d GetTickCount GetModuleFileNameW 3296->3371 3299 403830 3297->3299 3299->3296 3302 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3299->3302 3300 40387d 3304 403a59 ExitProcess CoUninitialize 3300->3304 3306 403932 3300->3306 3314 405e39 CharNextW 3300->3314 3301->3290 3301->3294 3303 4037e6 3301->3303 3305 4034fc 12 API calls 3302->3305 3456 40653d lstrcpynW 3303->3456 3308 403a69 3304->3308 3309 403a7e 3304->3309 3313 403862 3305->3313 3399 403bec 3306->3399 3461 405b9d 3308->3461 3311 403a86 GetCurrentProcess OpenProcessToken 3309->3311 3312 403afc ExitProcess 3309->3312 3317 403acc 3311->3317 3318 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3311->3318 3313->3296 3313->3304 3328 40389f 3314->3328 3321 40690a 5 API calls 3317->3321 3318->3317 3319 403941 3319->3304 3324 403ad3 3321->3324 3322 403908 3325 405f14 18 API calls 3322->3325 3323 403949 3327 405b08 5 API calls 3323->3327 3326 403ae8 ExitWindowsEx 3324->3326 3330 403af5 3324->3330 3329 403914 3325->3329 3326->3312 3326->3330 3331 40394e lstrcatW 3327->3331 3328->3322 3328->3323 3329->3304 3457 40653d lstrcpynW 3329->3457 3465 40140b 3330->3465 3332 40396a lstrcatW lstrcmpiW 3331->3332 3333 40395f lstrcatW 3331->3333 3332->3319 3335 40398a 3332->3335 3333->3332 3337 403996 3335->3337 3338 40398f 3335->3338 3341 405aeb 2 API calls 3337->3341 3340 405a6e 4 API calls 3338->3340 3339 403927 3458 40653d lstrcpynW 3339->3458 3343 403994 3340->3343 3344 40399b SetCurrentDirectoryW 3341->3344 3343->3344 3345 4039b8 3344->3345 3346 4039ad 3344->3346 3460 40653d lstrcpynW 3345->3460 3459 40653d lstrcpynW 3346->3459 3349 40657a 17 API calls 3350 4039fa DeleteFileW 3349->3350 3351 403a06 CopyFileW 3350->3351 3356 4039c5 3350->3356 3351->3356 3352 403a50 3354 4062fd 36 API calls 3352->3354 3353 4062fd 36 API calls 3353->3356 3354->3319 3355 40657a 17 API calls 3355->3356 3356->3349 3356->3352 3356->3353 3356->3355 3357 405b20 2 API calls 3356->3357 3358 403a3a CloseHandle 3356->3358 3357->3356 3358->3356 3359->3284 3360->3287 3362 4067c4 5 API calls 3361->3362 3364 403508 3362->3364 3363 403512 3363->3293 3364->3363 3365 405e0c 3 API calls 3364->3365 3366 40351a 3365->3366 3367 405aeb 2 API calls 3366->3367 3368 403520 3367->3368 3468 40605c 3368->3468 3472 40602d GetFileAttributesW CreateFileW 3371->3472 3373 4030bd 3391 4030cd 3373->3391 3473 40653d lstrcpynW 3373->3473 3375 4030e3 3376 405e58 2 API calls 3375->3376 3377 4030e9 3376->3377 3474 40653d lstrcpynW 3377->3474 3379 4030f4 GetFileSize 3380 4031ee 3379->3380 3398 40310b 3379->3398 3475 403019 3380->3475 3382 4031f7 3384 403227 GlobalAlloc 3382->3384 3382->3391 3487 4034e5 SetFilePointer 3382->3487 3383 4034cf ReadFile 3383->3398 3486 4034e5 SetFilePointer 3384->3486 3386 40325a 3388 403019 6 API calls 3386->3388 3388->3391 3389 403210 3392 4034cf ReadFile 3389->3392 3390 403242 3393 4032b4 31 API calls 3390->3393 3391->3300 3394 40321b 3392->3394 3396 40324e 3393->3396 3394->3384 3394->3391 3395 403019 6 API calls 3395->3398 3396->3391 3396->3396 3397 40328b SetFilePointer 3396->3397 3397->3391 3398->3380 3398->3383 3398->3386 3398->3391 3398->3395 3400 40690a 5 API calls 3399->3400 3401 403c00 3400->3401 3402 403c06 3401->3402 3403 403c18 3401->3403 3496 406484 wsprintfW 3402->3496 3404 40640b 3 API calls 3403->3404 3405 403c48 3404->3405 3406 403c67 lstrcatW 3405->3406 3408 40640b 3 API calls 3405->3408 3409 403c16 3406->3409 3408->3406 3488 403ec2 3409->3488 3412 405f14 18 API calls 3413 403c99 3412->3413 3414 403d2d 3413->3414 3416 40640b 3 API calls 3413->3416 3415 405f14 18 API calls 3414->3415 3417 403d33 3415->3417 3419 403ccb 3416->3419 3418 403d43 LoadImageW 3417->3418 3420 40657a 17 API calls 3417->3420 3421 403de9 3418->3421 3422 403d6a RegisterClassW 3418->3422 3419->3414 3423 403cec lstrlenW 3419->3423 3427 405e39 CharNextW 3419->3427 3420->3418 3426 40140b 2 API calls 3421->3426 3424 403da0 SystemParametersInfoW CreateWindowExW 3422->3424 3425 403df3 3422->3425 3428 403d20 3423->3428 3429 403cfa lstrcmpiW 3423->3429 3424->3421 3425->3319 3430 403def 3426->3430 3431 403ce9 3427->3431 3433 405e0c 3 API calls 3428->3433 3429->3428 3432 403d0a GetFileAttributesW 3429->3432 3430->3425 3435 403ec2 18 API calls 3430->3435 3431->3423 3434 403d16 3432->3434 3436 403d26 3433->3436 3434->3428 3437 405e58 2 API calls 3434->3437 3438 403e00 3435->3438 3497 40653d lstrcpynW 3436->3497 3437->3428 3440 403e0c ShowWindow 3438->3440 3441 403e8f 3438->3441 3443 40689a 3 API calls 3440->3443 3498 405672 OleInitialize 3441->3498 3445 403e24 3443->3445 3444 403e95 3446 403eb1 3444->3446 3447 403e99 3444->3447 3448 403e32 GetClassInfoW 3445->3448 3450 40689a 3 API calls 3445->3450 3449 40140b 2 API calls 3446->3449 3447->3425 3454 40140b 2 API calls 3447->3454 3451 403e46 GetClassInfoW RegisterClassW 3448->3451 3452 403e5c DialogBoxParamW 3448->3452 3449->3425 3450->3448 3451->3452 3453 40140b 2 API calls 3452->3453 3455 403e84 3453->3455 3454->3425 3455->3425 3456->3291 3457->3339 3458->3306 3459->3345 3460->3356 3462 405bb2 3461->3462 3463 403a76 ExitProcess 3462->3463 3464 405bc6 MessageBoxIndirectW 3462->3464 3464->3463 3466 401389 2 API calls 3465->3466 3467 401420 3466->3467 3467->3312 3469 406069 GetTickCount GetTempFileNameW 3468->3469 3470 40352b 3469->3470 3471 40609f 3469->3471 3470->3293 3471->3469 3471->3470 3472->3373 3473->3375 3474->3379 3476 403022 3475->3476 3477 40303a 3475->3477 3478 403032 3476->3478 3479 40302b DestroyWindow 3476->3479 3480 403042 3477->3480 3481 40304a GetTickCount 3477->3481 3478->3382 3479->3478 3482 406946 2 API calls 3480->3482 3483 403058 CreateDialogParamW ShowWindow 3481->3483 3484 40307b 3481->3484 3485 403048 3482->3485 3483->3484 3484->3382 3485->3382 3486->3390 3487->3389 3489 403ed6 3488->3489 3505 406484 wsprintfW 3489->3505 3491 403f47 3506 403f7b 3491->3506 3493 403c77 3493->3412 3494 403f4c 3494->3493 3495 40657a 17 API calls 3494->3495 3495->3494 3496->3409 3497->3414 3509 4044e5 3498->3509 3500 4056bc 3501 4044e5 SendMessageW 3500->3501 3503 4056ce OleUninitialize 3501->3503 3502 405695 3502->3500 3512 401389 3502->3512 3503->3444 3505->3491 3507 40657a 17 API calls 3506->3507 3508 403f89 SetWindowTextW 3507->3508 3508->3494 3510 4044fd 3509->3510 3511 4044ee SendMessageW 3509->3511 3510->3502 3511->3510 3514 401390 3512->3514 3513 4013fe 3513->3502 3514->3513 3515 4013cb MulDiv SendMessageW 3514->3515 3515->3514 4388 401a30 4389 402da6 17 API calls 4388->4389 4390 401a39 ExpandEnvironmentStringsW 4389->4390 4391 401a4d 4390->4391 4393 401a60 4390->4393 4392 401a52 lstrcmpW 4391->4392 4391->4393 4392->4393 4399 4023b2 4400 4023ba 4399->4400 4402 4023c0 4399->4402 4401 402da6 17 API calls 4400->4401 4401->4402 4403 402da6 17 API calls 4402->4403 4404 4023ce 4402->4404 4403->4404 4405 4023dc 4404->4405 4406 402da6 17 API calls 4404->4406 4407 402da6 17 API calls 4405->4407 4406->4405 4408 4023e5 WritePrivateProfileStringW 4407->4408 3577 402434 3578 402467 3577->3578 3579 40243c 3577->3579 3580 402da6 17 API calls 3578->3580 3581 402de6 17 API calls 3579->3581 3582 40246e 3580->3582 3583 402443 3581->3583 3588 402e64 3582->3588 3585 40247b 3583->3585 3586 402da6 17 API calls 3583->3586 3587 402454 RegDeleteValueW RegCloseKey 3586->3587 3587->3585 3589 402e71 3588->3589 3590 402e78 3588->3590 3589->3585 3590->3589 3592 402ea9 3590->3592 3593 4063aa RegOpenKeyExW 3592->3593 3594 402ed7 3593->3594 3595 402ee1 3594->3595 3596 402f8c 3594->3596 3597 402ee7 RegEnumValueW 3595->3597 3604 402f0a 3595->3604 3596->3589 3598 402f71 RegCloseKey 3597->3598 3597->3604 3598->3596 3599 402f46 RegEnumKeyW 3600 402f4f RegCloseKey 3599->3600 3599->3604 3601 40690a 5 API calls 3600->3601 3603 402f5f 3601->3603 3602 402ea9 6 API calls 3602->3604 3605 402f81 3603->3605 3606 402f63 RegDeleteKeyW 3603->3606 3604->3598 3604->3599 3604->3600 3604->3602 3605->3596 3606->3596 4409 401735 4410 402da6 17 API calls 4409->4410 4411 40173c SearchPathW 4410->4411 4412 401757 4411->4412 4413 401d38 4414 402d84 17 API calls 4413->4414 4415 401d3f 4414->4415 4416 402d84 17 API calls 4415->4416 4417 401d4b GetDlgItem 4416->4417 4418 402638 4417->4418 4419 4014b8 4420 4014be 4419->4420 4421 401389 2 API calls 4420->4421 4422 4014c6 4421->4422 4423 40263e 4424 402652 4423->4424 4425 40266d 4423->4425 4426 402d84 17 API calls 4424->4426 4427 402672 4425->4427 4428 40269d 4425->4428 4435 402659 4426->4435 4429 402da6 17 API calls 4427->4429 4430 402da6 17 API calls 4428->4430 4432 402679 4429->4432 4431 4026a4 lstrlenW 4430->4431 4431->4435 4440 40655f WideCharToMultiByte 4432->4440 4434 40268d lstrlenA 4434->4435 4436 4026d1 4435->4436 4437 4026e7 4435->4437 4439 40610e 5 API calls 4435->4439 4436->4437 4438 4060df WriteFile 4436->4438 4438->4437 4439->4436 4440->4434

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 0040352D Relevance: 89.7, APIs: 34, Strings: 17, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 ExitProcess CoUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 72 403a69-403a78 call 405b9d ExitProcess 65->72 73 403a7e-403a84 65->73 66->54 66->67 67->54 88 4038f9-403906 69->88 89 4038a9-4038de 69->89 84 403941-403944 70->84 75 403a86-403a9b GetCurrentProcess OpenProcessToken 73->75 76 403afc-403b04 73->76 81 403acc-403ada call 40690a 75->81 82 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 85 403b06 76->85 86 403b09-403b0c ExitProcess 76->86 95 403ae8-403af3 ExitWindowsEx 81->95 96 403adc-403ae6 81->96 82->81 84->65 85->86 90 403908-403916 call 405f14 88->90 91 403949-40395d call 405b08 lstrcatW 88->91 93 4038e0-4038e4 89->93 90->65 106 40391c-403932 call 40653d * 2 90->106 104 40396a-403984 lstrcatW lstrcmpiW 91->104 105 40395f-403965 lstrcatW 91->105 98 4038e6-4038eb 93->98 99 4038ed-4038f5 93->99 95->76 102 403af5-403af7 call 40140b 95->102 96->95 96->102 98->99 100 4038f7 98->100 99->93 99->100 100->88 102->76 109 403a57 104->109 110 40398a-40398d 104->110 105->104 106->70 109->65 112 403996 call 405aeb 110->112 113 40398f-403994 call 405a6e 110->113 119 40399b-4039ab SetCurrentDirectoryW 112->119 113->119 121 4039b8-4039e4 call 40653d 119->121 122 4039ad-4039b3 call 40653d 119->122 126 4039e9-403a04 call 40657a DeleteFileW 121->126 122->121 129 403a44-403a4e 126->129 130 403a06-403a16 CopyFileW 126->130 129->126 132 403a50-403a52 call 4062fd 129->132 130->129 131 403a18-403a38 call 4062fd call 40657a call 405b20 130->131 131->129 140 403a3a-403a41 CloseHandle 131->140 132->109 140->129
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                                                                                                                                                    • CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000020,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000), ref: 004036D6
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(1033), ref: 0040386F
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403956
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403965
                                                                                                                                                                                                      • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403970
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 0040397C
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,0042AA28,00000001), ref: 00403A0E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                                                                                                                                                                                    • ExitProcess.KERNEL32(?), ref: 00403A59
                                                                                                                                                                                                    • CoUninitialize.COMBASE(?), ref: 00403A5E
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A78
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B0C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                                    • String ID: "C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe" /S /skipDowngrade=true$.tmp$1033$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                    • API String ID: 2292928366-4119421352
                                                                                                                                                                                                    • Opcode ID: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                                    • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                                                                                                                                                    Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 282 405c49-405c6f call 405f14 285 405c71-405c83 DeleteFileW 282->285 286 405c88-405c8f 282->286 287 405e05-405e09 285->287 288 405c91-405c93 286->288 289 405ca2-405cb2 call 40653d 286->289 290 405db3-405db8 288->290 291 405c99-405c9c 288->291 297 405cc1-405cc2 call 405e58 289->297 298 405cb4-405cbf lstrcatW 289->298 290->287 293 405dba-405dbd 290->293 291->289 291->290 295 405dc7-405dcf call 406873 293->295 296 405dbf-405dc5 293->296 295->287 306 405dd1-405de5 call 405e0c call 405c01 295->306 296->287 300 405cc7-405ccb 297->300 298->300 302 405cd7-405cdd lstrcatW 300->302 303 405ccd-405cd5 300->303 305 405ce2-405cfe lstrlenW FindFirstFileW 302->305 303->302 303->305 307 405d04-405d0c 305->307 308 405da8-405dac 305->308 322 405de7-405dea 306->322 323 405dfd-405e00 call 40559f 306->323 310 405d2c-405d40 call 40653d 307->310 311 405d0e-405d16 307->311 308->290 313 405dae 308->313 324 405d42-405d4a 310->324 325 405d57-405d62 call 405c01 310->325 314 405d18-405d20 311->314 315 405d8b-405d9b FindNextFileW 311->315 313->290 314->310 318 405d22-405d2a 314->318 315->307 321 405da1-405da2 FindClose 315->321 318->310 318->315 321->308 322->296 328 405dec-405dfb call 40559f call 4062fd 322->328 323->287 324->315 329 405d4c-405d55 call 405c49 324->329 333 405d83-405d86 call 40559f 325->333 334 405d64-405d67 325->334 328->287 329->315 333->315 337 405d69-405d79 call 40559f call 4062fd 334->337 338 405d7b-405d81 334->338 337->315 338->315
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBA
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CDD
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                    • String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsbD58.tmp\*.*$\*.*
                                                                                                                                                                                                    • API String ID: 2035342205-2808462245
                                                                                                                                                                                                    • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                                    • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                                                                                                                                                    Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(74DF3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040688A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                                    • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                                    • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                                                                                                                                                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                                    • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                                    • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                                                                                                                                                                                    Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 141 403bec-403c04 call 40690a 144 403c06-403c16 call 406484 141->144 145 403c18-403c4f call 40640b 141->145 153 403c72-403c9b call 403ec2 call 405f14 144->153 149 403c51-403c62 call 40640b 145->149 150 403c67-403c6d lstrcatW 145->150 149->150 150->153 159 403ca1-403ca6 153->159 160 403d2d-403d35 call 405f14 153->160 159->160 161 403cac-403cc6 call 40640b 159->161 165 403d43-403d68 LoadImageW 160->165 166 403d37-403d3e call 40657a 160->166 167 403ccb-403cd4 161->167 169 403de9-403df1 call 40140b 165->169 170 403d6a-403d9a RegisterClassW 165->170 166->165 167->160 171 403cd6-403cda 167->171 184 403df3-403df6 169->184 185 403dfb-403e06 call 403ec2 169->185 174 403da0-403de4 SystemParametersInfoW CreateWindowExW 170->174 175 403eb8 170->175 172 403cec-403cf8 lstrlenW 171->172 173 403cdc-403ce9 call 405e39 171->173 179 403d20-403d28 call 405e0c call 40653d 172->179 180 403cfa-403d08 lstrcmpiW 172->180 173->172 174->169 178 403eba-403ec1 175->178 179->160 180->179 183 403d0a-403d14 GetFileAttributesW 180->183 187 403d16-403d18 183->187 188 403d1a-403d1b call 405e58 183->188 184->178 194 403e0c-403e26 ShowWindow call 40689a 185->194 195 403e8f-403e97 call 405672 185->195 187->179 187->188 188->179 202 403e32-403e44 GetClassInfoW 194->202 203 403e28-403e2d call 40689a 194->203 200 403eb1-403eb3 call 40140b 195->200 201 403e99-403e9f 195->201 200->175 201->184 208 403ea5-403eac call 40140b 201->208 206 403e46-403e56 GetClassInfoW RegisterClassW 202->206 207 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 202->207 203->202 206->207 207->178 208->184
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                                      • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                                    • lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C6D
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 00403CED
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
                                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Wildix\WIService), ref: 00403D54
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\Wildix\WIService$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                    • API String ID: 1975747703-2842658238
                                                                                                                                                                                                    • Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                                    • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                                                                                                                                                    Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 215 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 218 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 215->218 219 4030cd-4030d2 215->219 227 4031f0-4031fe call 403019 218->227 228 40310b 218->228 220 4032ad-4032b1 219->220 234 403200-403203 227->234 235 403253-403258 227->235 230 403110-403127 228->230 232 403129 230->232 233 40312b-403134 call 4034cf 230->233 232->233 241 40325a-403262 call 403019 233->241 242 40313a-403141 233->242 237 403205-40321d call 4034e5 call 4034cf 234->237 238 403227-403251 GlobalAlloc call 4034e5 call 4032b4 234->238 235->220 237->235 261 40321f-403225 237->261 238->235 266 403264-403275 238->266 241->235 246 403143-403157 call 405fe8 242->246 247 4031bd-4031c1 242->247 252 4031cb-4031d1 246->252 264 403159-403160 246->264 251 4031c3-4031ca call 403019 247->251 247->252 251->252 257 4031e0-4031e8 252->257 258 4031d3-4031dd call 4069f7 252->258 257->230 265 4031ee 257->265 258->257 261->235 261->238 264->252 270 403162-403169 264->270 265->227 267 403277 266->267 268 40327d-403282 266->268 267->268 271 403283-403289 268->271 270->252 272 40316b-403172 270->272 271->271 273 40328b-4032a6 SetFilePointer call 405fe8 271->273 272->252 274 403174-40317b 272->274 278 4032ab 273->278 274->252 275 40317d-40319d 274->275 275->235 277 4031a3-4031a7 275->277 279 4031a9-4031ad 277->279 280 4031af-4031b7 277->280 278->220 279->265 279->280 280->252 281 4031b9-4031bb 280->281 281->252
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                                                                                                                                                    • API String ID: 2803837635-4186588108
                                                                                                                                                                                                    • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                                    • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                                                                                                                                                    Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 346 40657a-406585 347 406587-406596 346->347 348 406598-4065ae 346->348 347->348 349 4065b0-4065bd 348->349 350 4065c6-4065cf 348->350 349->350 351 4065bf-4065c2 349->351 352 4065d5 350->352 353 4067aa-4067b5 350->353 351->350 354 4065da-4065e7 352->354 355 4067c0-4067c1 353->355 356 4067b7-4067bb call 40653d 353->356 354->353 357 4065ed-4065f6 354->357 356->355 359 406788 357->359 360 4065fc-406639 357->360 363 406796-406799 359->363 364 40678a-406794 359->364 361 40672c-406731 360->361 362 40663f-406646 360->362 368 406733-406739 361->368 369 406764-406769 361->369 365 406648-40664a 362->365 366 40664b-40664d 362->366 367 40679b-4067a4 363->367 364->367 365->366 370 40668a-40668d 366->370 371 40664f-40666d call 40640b 366->371 367->353 374 4065d7 367->374 375 406749-406755 call 40653d 368->375 376 40673b-406747 call 406484 368->376 372 406778-406786 lstrlenW 369->372 373 40676b-406773 call 40657a 369->373 380 40669d-4066a0 370->380 381 40668f-40669b GetSystemDirectoryW 370->381 385 406672-406676 371->385 372->367 373->372 374->354 384 40675a-406760 375->384 376->384 387 4066a2-4066b0 GetWindowsDirectoryW 380->387 388 406709-40670b 380->388 386 40670d-406711 381->386 384->372 389 406762 384->389 391 406713-406717 385->391 392 40667c-406685 call 40657a 385->392 386->391 393 406724-40672a call 4067c4 386->393 387->388 388->386 390 4066b2-4066ba 388->390 389->393 397 4066d1-4066e7 SHGetSpecialFolderLocation 390->397 398 4066bc-4066c5 390->398 391->393 394 406719-40671f lstrcatW 391->394 392->386 393->372 394->393 399 406705 397->399 400 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 397->400 403 4066cd-4066cf 398->403 399->388 400->386 400->399 403->386 403->397
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,74DF23A0), ref: 004066A8
                                                                                                                                                                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                    • API String ID: 4260037668-1230650788
                                                                                                                                                                                                    • Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                                    • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                                                                                                                                                    Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 404 4032b4-4032cb 405 4032d4-4032dd 404->405 406 4032cd 404->406 407 4032e6-4032eb 405->407 408 4032df 405->408 406->405 409 4032fb-403308 call 4034cf 407->409 410 4032ed-4032f6 call 4034e5 407->410 408->407 414 4034bd 409->414 415 40330e-403312 409->415 410->409 416 4034bf-4034c0 414->416 417 403468-40346a 415->417 418 403318-403361 GetTickCount 415->418 421 4034c8-4034cc 416->421 419 4034aa-4034ad 417->419 420 40346c-40346f 417->420 422 4034c5 418->422 423 403367-40336f 418->423 424 4034b2-4034bb call 4034cf 419->424 425 4034af 419->425 420->422 426 403471 420->426 422->421 427 403371 423->427 428 403374-403382 call 4034cf 423->428 424->414 438 4034c2 424->438 425->424 431 403474-40347a 426->431 427->428 428->414 437 403388-403391 428->437 434 40347c 431->434 435 40347e-40348c call 4034cf 431->435 434->435 435->414 441 40348e-40349a call 4060df 435->441 440 403397-4033b7 call 406a65 437->440 438->422 446 403460-403462 440->446 447 4033bd-4033d0 GetTickCount 440->447 448 403464-403466 441->448 449 40349c-4034a6 441->449 446->416 450 4033d2-4033da 447->450 451 40341b-40341d 447->451 448->416 449->431 452 4034a8 449->452 453 4033e2-403418 MulDiv wsprintfW call 40559f 450->453 454 4033dc-4033e0 450->454 455 403454-403458 451->455 456 40341f-403423 451->456 452->422 453->451 454->451 454->453 455->423 457 40345e 455->457 459 403425-40342c call 4060df 456->459 460 40343a-403445 456->460 457->422 464 403431-403433 459->464 462 403448-40344c 460->462 462->440 465 403452 462->465 464->448 466 403435-403438 464->466 465->422 466->462
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                                    • String ID: *B$ A$ A$... %d%%$}8@
                                                                                                                                                                                                    • API String ID: 551687249-3029848762
                                                                                                                                                                                                    • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                                    • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 467 40176f-401794 call 402da6 call 405e83 472 401796-40179c call 40653d 467->472 473 40179e-4017b0 call 40653d call 405e0c lstrcatW 467->473 478 4017b5-4017b6 call 4067c4 472->478 473->478 482 4017bb-4017bf 478->482 483 4017c1-4017cb call 406873 482->483 484 4017f2-4017f5 482->484 491 4017dd-4017ef 483->491 492 4017cd-4017db CompareFileTime 483->492 485 4017f7-4017f8 call 406008 484->485 486 4017fd-401819 call 40602d 484->486 485->486 494 40181b-40181e 486->494 495 40188d-4018b6 call 40559f call 4032b4 486->495 491->484 492->491 496 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 494->496 497 40186f-401879 call 40559f 494->497 507 4018b8-4018bc 495->507 508 4018be-4018ca SetFileTime 495->508 496->482 529 401864-401865 496->529 509 401882-401888 497->509 507->508 511 4018d0-4018db CloseHandle 507->511 508->511 512 402c33 509->512 515 4018e1-4018e4 511->515 516 402c2a-402c2d 511->516 517 402c35-402c39 512->517 519 4018e6-4018f7 call 40657a lstrcatW 515->519 520 4018f9-4018fc call 40657a 515->520 516->512 526 401901-4023a2 call 405b9d 519->526 520->526 526->516 526->517 529->509 531 401867-401868 529->531 531->497
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017B0
                                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService$C:\Users\user\AppData\Local\Temp\nsbD58.tmp$C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dll$Call
                                                                                                                                                                                                    • API String ID: 1941528284-1777759660
                                                                                                                                                                                                    • Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                                    • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                                                                                                                                                    Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 533 40689a-4068ba GetSystemDirectoryW 534 4068bc 533->534 535 4068be-4068c0 533->535 534->535 536 4068d1-4068d3 535->536 537 4068c2-4068cb 535->537 539 4068d4-406907 wsprintfW LoadLibraryExW 536->539 537->536 538 4068cd-4068cf 537->538 538->539
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                    • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                                                                                                                                                    Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 540 405a6e-405ab9 CreateDirectoryW 541 405abb-405abd 540->541 542 405abf-405acc GetLastError 540->542 543 405ae6-405ae8 541->543 542->543 544 405ace-405ae2 SetFileSecurityW 542->544 544->541 545 405ae4 GetLastError 544->545 545->543
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC5
                                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AE4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                    • API String ID: 3449924974-3081826266
                                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                    • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 546 402ea9-402ed2 call 4063aa 548 402ed7-402edb 546->548 549 402ee1-402ee5 548->549 550 402f8c-402f90 548->550 551 402ee7-402f08 RegEnumValueW 549->551 552 402f0a-402f1d 549->552 551->552 553 402f71-402f7f RegCloseKey 551->553 554 402f46-402f4d RegEnumKeyW 552->554 553->550 555 402f1f-402f21 554->555 556 402f4f-402f61 RegCloseKey call 40690a 554->556 555->553 557 402f23-402f37 call 402ea9 555->557 562 402f81-402f87 556->562 563 402f63-402f6f RegDeleteKeyW 556->563 557->556 564 402f39-402f45 557->564 562->550 563->550 564->554
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                                    • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                                    • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                                                                                                                                                    Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 565 40248a-4024bb call 402da6 * 2 call 402e36 572 4024c1-4024cb 565->572 573 402c2a-402c39 565->573 575 4024cd-4024da call 402da6 lstrlenW 572->575 576 4024de-4024e1 572->576 575->576 579 4024e3-4024f4 call 402d84 576->579 580 4024f5-4024f8 576->580 579->580 581 402509-40251d RegSetValueExW 580->581 582 4024fa-402504 call 4032b4 580->582 586 402522-402603 RegCloseKey 581->586 587 40251f 581->587 582->581 586->573 590 40292e-402935 586->590 587->586 590->573
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbD58.tmp,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsbD58.tmp
                                                                                                                                                                                                    • API String ID: 2655323295-255703604
                                                                                                                                                                                                    • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                                    • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                                                                                                                                                                                    Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 591 405f14-405f2f call 40653d call 405eb7 596 405f31-405f33 591->596 597 405f35-405f42 call 4067c4 591->597 598 405f8d-405f8f 596->598 601 405f52-405f56 597->601 602 405f44-405f4a 597->602 603 405f6c-405f75 lstrlenW 601->603 602->596 604 405f4c-405f50 602->604 605 405f77-405f8b call 405e0c GetFileAttributesW 603->605 606 405f58-405f5f call 406873 603->606 604->596 604->601 605->598 611 405f61-405f64 606->611 612 405f66-405f67 call 405e58 606->612 611->596 611->612 612->603
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                    • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                    • API String ID: 3248276644-3049482934
                                                                                                                                                                                                    • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                                    • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                                                                                                                                                    Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 614 40605c-406068 615 406069-40609d GetTickCount GetTempFileNameW 614->615 616 4060ac-4060ae 615->616 617 40609f-4060a1 615->617 619 4060a6-4060a9 616->619 617->615 618 4060a3 617->618 618->619
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040607A
                                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                    • API String ID: 1716503409-678247507
                                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                    • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 620 4015c1-4015d5 call 402da6 call 405eb7 625 401631-401634 620->625 626 4015d7-4015ea call 405e39 620->626 628 401663-4022f6 call 401423 625->628 629 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 625->629 634 401604-401607 call 405aeb 626->634 635 4015ec-4015ef 626->635 641 402c2a-402c39 628->641 629->641 647 40165b-40165e 629->647 644 40160c-40160e 634->644 635->634 638 4015f1-4015f8 call 405b08 635->638 638->634 653 4015fa-4015fd call 405a6e 638->653 648 401610-401615 644->648 649 401627-40162f 644->649 647->641 650 401624 648->650 651 401617-401622 GetFileAttributesW 648->651 649->625 649->626 650->649 651->649 651->650 655 401602 653->655 655->644
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                      • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\Wildix\WIService,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00401640
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 1892508949-2436880260
                                                                                                                                                                                                    • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                                    • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                                                                                                                                                    Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 656 40640b-40643d call 4063aa 659 40647b 656->659 660 40643f-40646d RegQueryValueExW RegCloseKey 656->660 662 40647f-406481 659->662 660->659 661 40646f-406473 660->661 661->662 663 406475-406479 661->663 663->659 663->662
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C248), ref: 0040645C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                    • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                                                                                                                                                    Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403B78
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                    • API String ID: 1100898210-3081826266
                                                                                                                                                                                                    • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                                    • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                                    • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                                    • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                                                                                                                                                                                    Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00401C0B
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                                    • API String ID: 3292104215-1824292864
                                                                                                                                                                                                    • Opcode ID: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                                    • Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D
                                                                                                                                                                                                    Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72
                                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                                                                                    • String ID: @$C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 165873841-3745962701
                                                                                                                                                                                                    • Opcode ID: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                                    • Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18
                                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                                    • RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                                    • Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                                    • Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D
                                                                                                                                                                                                    Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                                      • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1655745494-0
                                                                                                                                                                                                    • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                                    • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                                                                                                                                                                                    Function 004069B5 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069DB
                                                                                                                                                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                                    • Opcode ID: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                                    • Instruction ID: f5f2e02d25af80b97bb350a16654da7f97250589dc800b1049f4071f8343982b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CE0D8B1A00118FBDB109F54DE05E9E7B6EDF44750F110033FA01B6590D7B19E25DB94
                                                                                                                                                                                                    Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00402269
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 542301482-2436880260
                                                                                                                                                                                                    • Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                                    • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbD58.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                                    • Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                                    • Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D
                                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                    • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                                    • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                                                                                                                                                    Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegDeleteValueW.KERNELBASE(00000000,00000000,00000033), ref: 00402456
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000), ref: 0040245F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                                    • Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                                    • Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D
                                                                                                                                                                                                    Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                                    • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                                    • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                                                                                                                                                    Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                                      • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                                      • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                                      • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                                    • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                                                                                                                                                    Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                                    Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                    • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                                                                                                                                                    Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nsbD58.tmp\, xrefs: 00403B31
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsbD58.tmp\
                                                                                                                                                                                                    • API String ID: 2962429428-2439265117
                                                                                                                                                                                                    • Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                                    • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                                                                                                                                                                                                    Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AFF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                    • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                                                                                                                                                    Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                                    • Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                                    • Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D
                                                                                                                                                                                                    Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindNext
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2029273394-0
                                                                                                                                                                                                    • Opcode ID: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                                    • Instruction ID: db9f6404ebf4ce2de6069d57e227025b0e6a75b8a6eb25932bbfae1af7e2135c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE0E572A041159BDB11DFA5ED88AAE7374EF40314F20447BD102F61D0E7B85A55AB1D
                                                                                                                                                                                                    Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                    • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                                                                                                                                                                                    Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                    • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                                                                                                                                                    Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                    • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                                                                                                                                                    Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,Call,?), ref: 004063CE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                    • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                                                                                                                                                                                    Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                      • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                                      • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                                    • Opcode ID: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                                    • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                                    • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                                    • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405788
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058D7
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004058DC
                                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405926
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040596B
                                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040599F
                                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A06
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A61
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                                    • Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                                    • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                                                                                                                                                    Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00405000
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00405340
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054FC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                                    • Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                                    • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                                                                                                                                                    Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FF6
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00404035
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404281
                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 0040429C
                                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042B9
                                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                                                                                    • Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                                    • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                                                                                                                                                    Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404738
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404759
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047DB
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040485A
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404876
                                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                    • String ID: Call$N
                                                                                                                                                                                                    • API String ID: 3103080414-3438112850
                                                                                                                                                                                                    • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                                    • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                    • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                                    • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                                    • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                                                                                                                                                    Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 00404AF1
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Call), ref: 00404AFD
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                                                                                                                                                                                      • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                                                                                                                                                                                      • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                                      • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                                      • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: A$C:\Program Files\Wildix\WIService$Call
                                                                                                                                                                                                    • API String ID: 2624150263-973401783
                                                                                                                                                                                                    • Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                                    • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                                                                                                                                                    Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                                    • Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                                    • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                                                                                                                                                    Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 0040455B
                                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404567
                                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404573
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404586
                                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404596
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045B0
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                                    • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                                      • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                                    • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                                    • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                    • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1495540970-0
                                                                                                                                                                                                    • Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                                    • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                                                                                                                                                    Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                                                                                                                                                                                                    • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                                                                                                                                                                                                    • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                    • API String ID: 589700163-4010320282
                                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                                    • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                                                                                                                                                    Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E77
                                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                    • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                                    • MulDiv.KERNEL32(01858A60,00000064,0185B4D8), ref: 00402FDC
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                                    • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                                    • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                                    • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                                    • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                                    • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                                    • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                                    • Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                                    • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                                    • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                                    • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                                    Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                                    • Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                                    • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                                                                                                                                                    Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                                    • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                                    • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                                                                                                                                                                                    Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
                                                                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                    • API String ID: 2659869361-3081826266
                                                                                                                                                                                                    • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                                    • Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD
                                                                                                                                                                                                    Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dll), ref: 00402695
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsbD58.tmp$C:\Users\user\AppData\Local\Temp\nsbD58.tmp\System.dll
                                                                                                                                                                                                    • API String ID: 1659193697-3474659278
                                                                                                                                                                                                    • Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                                    • Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E
                                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                                    • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                                    • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                                                                                                                                                    Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00405542
                                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                                                                                                                                                      • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                                    • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                                    • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                                                                                                                                                    Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,004030E9,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,004030E9,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003), ref: 00405E6E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nsa8163.tmp, xrefs: 00405E58
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp
                                                                                                                                                                                                    • API String ID: 2709904686-2144395985
                                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                                    • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                                                                                                                                                                                    Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.2683873927.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683815752.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683931721.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2683981618.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.2684337172.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                    • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:23.6%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                    Total number of Nodes:1343
                                                                                                                                                                                                    Total number of Limit Nodes:25
                                                                                                                                                                                                    execution_graph 2914 401941 2915 401943 2914->2915 2920 402da6 2915->2920 2921 402db2 2920->2921 2962 40657a 2921->2962 2924 401948 2926 405c49 2924->2926 3004 405f14 2926->3004 2929 405c71 DeleteFileW 2960 401951 2929->2960 2930 405c88 2931 405da8 2930->2931 3018 40653d lstrcpynW 2930->3018 2931->2960 3047 406873 FindFirstFileW 2931->3047 2933 405cae 2934 405cc1 2933->2934 2935 405cb4 lstrcatW 2933->2935 3019 405e58 lstrlenW 2934->3019 2937 405cc7 2935->2937 2939 405cd7 lstrcatW 2937->2939 2941 405ce2 lstrlenW FindFirstFileW 2937->2941 2939->2941 2941->2931 2953 405d04 2941->2953 2944 405d8b FindNextFileW 2948 405da1 FindClose 2944->2948 2944->2953 2945 405c01 5 API calls 2947 405de3 2945->2947 2949 405de7 2947->2949 2950 405dfd 2947->2950 2948->2931 2954 40559f 24 API calls 2949->2954 2949->2960 2952 40559f 24 API calls 2950->2952 2952->2960 2953->2944 2955 405c49 60 API calls 2953->2955 2957 40559f 24 API calls 2953->2957 3023 40653d lstrcpynW 2953->3023 3024 405c01 2953->3024 3032 40559f 2953->3032 3043 4062fd MoveFileExW 2953->3043 2956 405df4 2954->2956 2955->2953 2958 4062fd 36 API calls 2956->2958 2957->2944 2958->2960 2966 406587 2962->2966 2963 4067aa 2964 402dd3 2963->2964 2995 40653d lstrcpynW 2963->2995 2964->2924 2979 4067c4 2964->2979 2966->2963 2967 406778 lstrlenW 2966->2967 2970 40657a 10 API calls 2966->2970 2971 40668f GetSystemDirectoryW 2966->2971 2973 4066a2 GetWindowsDirectoryW 2966->2973 2974 406719 lstrcatW 2966->2974 2975 40657a 10 API calls 2966->2975 2976 4067c4 5 API calls 2966->2976 2977 4066d1 SHGetSpecialFolderLocation 2966->2977 2988 40640b 2966->2988 2993 406484 wsprintfW 2966->2993 2994 40653d lstrcpynW 2966->2994 2967->2966 2970->2967 2971->2966 2973->2966 2974->2966 2975->2966 2976->2966 2977->2966 2978 4066e9 SHGetPathFromIDListW CoTaskMemFree 2977->2978 2978->2966 2985 4067d1 2979->2985 2980 406847 2981 40684c CharPrevW 2980->2981 2983 40686d 2980->2983 2981->2980 2982 40683a CharNextW 2982->2980 2982->2985 2983->2924 2985->2980 2985->2982 2986 406826 CharNextW 2985->2986 2987 406835 CharNextW 2985->2987 3000 405e39 2985->3000 2986->2985 2987->2982 2996 4063aa 2988->2996 2991 40646f 2991->2966 2992 40643f RegQueryValueExW RegCloseKey 2992->2991 2993->2966 2994->2966 2995->2964 2997 4063b9 2996->2997 2998 4063c2 RegOpenKeyExW 2997->2998 2999 4063bd 2997->2999 2998->2999 2999->2991 2999->2992 3001 405e3f 3000->3001 3002 405e55 3001->3002 3003 405e46 CharNextW 3001->3003 3002->2985 3003->3001 3053 40653d lstrcpynW 3004->3053 3006 405f25 3054 405eb7 CharNextW CharNextW 3006->3054 3009 405c69 3009->2929 3009->2930 3010 4067c4 5 API calls 3016 405f3b 3010->3016 3011 405f6c lstrlenW 3012 405f77 3011->3012 3011->3016 3014 405e0c 3 API calls 3012->3014 3013 406873 2 API calls 3013->3016 3015 405f7c GetFileAttributesW 3014->3015 3015->3009 3016->3009 3016->3011 3016->3013 3017 405e58 2 API calls 3016->3017 3017->3011 3018->2933 3020 405e66 3019->3020 3021 405e78 3020->3021 3022 405e6c CharPrevW 3020->3022 3021->2937 3022->3020 3022->3021 3023->2953 3060 406008 GetFileAttributesW 3024->3060 3027 405c2e 3027->2953 3028 405c24 DeleteFileW 3030 405c2a 3028->3030 3029 405c1c RemoveDirectoryW 3029->3030 3030->3027 3031 405c3a SetFileAttributesW 3030->3031 3031->3027 3033 4055ba 3032->3033 3042 40565c 3032->3042 3034 4055d6 lstrlenW 3033->3034 3035 40657a 17 API calls 3033->3035 3036 4055e4 lstrlenW 3034->3036 3037 4055ff 3034->3037 3035->3034 3038 4055f6 lstrcatW 3036->3038 3036->3042 3039 405612 3037->3039 3040 405605 SetWindowTextW 3037->3040 3038->3037 3041 405618 SendMessageW SendMessageW SendMessageW 3039->3041 3039->3042 3040->3039 3041->3042 3042->2953 3044 40631e 3043->3044 3045 406311 3043->3045 3044->2953 3063 406183 3045->3063 3048 405dcd 3047->3048 3049 406889 FindClose 3047->3049 3048->2960 3050 405e0c lstrlenW CharPrevW 3048->3050 3049->3048 3051 405dd7 3050->3051 3052 405e28 lstrcatW 3050->3052 3051->2945 3052->3051 3053->3006 3055 405ed4 3054->3055 3058 405ee6 3054->3058 3057 405ee1 CharNextW 3055->3057 3055->3058 3056 405f0a 3056->3009 3056->3010 3057->3056 3058->3056 3059 405e39 CharNextW 3058->3059 3059->3058 3061 405c0d 3060->3061 3062 40601a SetFileAttributesW 3060->3062 3061->3027 3061->3028 3061->3029 3062->3061 3064 4061b3 3063->3064 3065 4061d9 GetShortPathNameW 3063->3065 3090 40602d GetFileAttributesW CreateFileW 3064->3090 3067 4062f8 3065->3067 3068 4061ee 3065->3068 3067->3044 3068->3067 3070 4061f6 wsprintfA 3068->3070 3069 4061bd CloseHandle GetShortPathNameW 3069->3067 3071 4061d1 3069->3071 3072 40657a 17 API calls 3070->3072 3071->3065 3071->3067 3073 40621e 3072->3073 3091 40602d GetFileAttributesW CreateFileW 3073->3091 3075 40622b 3075->3067 3076 40623a GetFileSize GlobalAlloc 3075->3076 3077 4062f1 CloseHandle 3076->3077 3078 40625c 3076->3078 3077->3067 3092 4060b0 ReadFile 3078->3092 3083 40627b lstrcpyA 3086 40629d 3083->3086 3084 40628f 3085 405f92 4 API calls 3084->3085 3085->3086 3087 4062d4 SetFilePointer 3086->3087 3099 4060df WriteFile 3087->3099 3090->3069 3091->3075 3093 4060ce 3092->3093 3093->3077 3094 405f92 lstrlenA 3093->3094 3095 405fd3 lstrlenA 3094->3095 3096 405fdb 3095->3096 3097 405fac lstrcmpiA 3095->3097 3096->3083 3096->3084 3097->3096 3098 405fca CharNextA 3097->3098 3098->3095 3100 4060fd GlobalFree 3099->3100 3100->3077 3101 4015c1 3102 402da6 17 API calls 3101->3102 3103 4015c8 3102->3103 3104 405eb7 4 API calls 3103->3104 3118 4015d1 3104->3118 3105 401631 3107 401663 3105->3107 3108 401636 3105->3108 3106 405e39 CharNextW 3106->3118 3110 401423 24 API calls 3107->3110 3128 401423 3108->3128 3117 40165b 3110->3117 3115 40164a SetCurrentDirectoryW 3115->3117 3116 401617 GetFileAttributesW 3116->3118 3118->3105 3118->3106 3118->3116 3120 405b08 3118->3120 3123 405a6e CreateDirectoryW 3118->3123 3132 405aeb CreateDirectoryW 3118->3132 3135 40690a GetModuleHandleA 3120->3135 3124 405abb 3123->3124 3125 405abf GetLastError 3123->3125 3124->3118 3125->3124 3126 405ace SetFileSecurityW 3125->3126 3126->3124 3127 405ae4 GetLastError 3126->3127 3127->3124 3129 40559f 24 API calls 3128->3129 3130 401431 3129->3130 3131 40653d lstrcpynW 3130->3131 3131->3115 3133 405afb 3132->3133 3134 405aff GetLastError 3132->3134 3133->3118 3134->3133 3136 406930 GetProcAddress 3135->3136 3137 406926 3135->3137 3139 405b0f 3136->3139 3141 40689a GetSystemDirectoryW 3137->3141 3139->3118 3140 40692c 3140->3136 3140->3139 3142 4068bc wsprintfW LoadLibraryExW 3141->3142 3142->3140 3684 404943 3685 404953 3684->3685 3686 404979 3684->3686 3691 404499 3685->3691 3694 404500 3686->3694 3690 404960 SetDlgItemTextW 3690->3686 3692 40657a 17 API calls 3691->3692 3693 4044a4 SetDlgItemTextW 3692->3693 3693->3690 3695 4045c3 3694->3695 3696 404518 GetWindowLongW 3694->3696 3696->3695 3697 40452d 3696->3697 3697->3695 3698 40455a GetSysColor 3697->3698 3699 40455d 3697->3699 3698->3699 3700 404563 SetTextColor 3699->3700 3701 40456d SetBkMode 3699->3701 3700->3701 3702 404585 GetSysColor 3701->3702 3703 40458b 3701->3703 3702->3703 3704 404592 SetBkColor 3703->3704 3705 40459c 3703->3705 3704->3705 3705->3695 3706 4045b6 CreateBrushIndirect 3705->3706 3707 4045af DeleteObject 3705->3707 3706->3695 3707->3706 3708 401c43 3709 402d84 17 API calls 3708->3709 3710 401c4a 3709->3710 3711 402d84 17 API calls 3710->3711 3712 401c57 3711->3712 3713 401c6c 3712->3713 3714 402da6 17 API calls 3712->3714 3715 402da6 17 API calls 3713->3715 3719 401c7c 3713->3719 3714->3713 3715->3719 3716 401cd3 3718 402da6 17 API calls 3716->3718 3717 401c87 3720 402d84 17 API calls 3717->3720 3722 401cd8 3718->3722 3719->3716 3719->3717 3721 401c8c 3720->3721 3723 402d84 17 API calls 3721->3723 3724 402da6 17 API calls 3722->3724 3725 401c98 3723->3725 3726 401ce1 FindWindowExW 3724->3726 3727 401cc3 SendMessageW 3725->3727 3728 401ca5 SendMessageTimeoutW 3725->3728 3729 401d03 3726->3729 3727->3729 3728->3729 3730 4028c4 3731 4028ca 3730->3731 3732 4028d2 FindClose 3731->3732 3733 402c2a 3731->3733 3732->3733 3737 4016cc 3738 402da6 17 API calls 3737->3738 3739 4016d2 GetFullPathNameW 3738->3739 3740 4016ec 3739->3740 3746 40170e 3739->3746 3743 406873 2 API calls 3740->3743 3740->3746 3741 401723 GetShortPathNameW 3742 402c2a 3741->3742 3744 4016fe 3743->3744 3744->3746 3747 40653d lstrcpynW 3744->3747 3746->3741 3746->3742 3747->3746 3748 401e4e GetDC 3749 402d84 17 API calls 3748->3749 3750 401e60 GetDeviceCaps MulDiv ReleaseDC 3749->3750 3751 402d84 17 API calls 3750->3751 3752 401e91 3751->3752 3753 40657a 17 API calls 3752->3753 3754 401ece CreateFontIndirectW 3753->3754 3755 402638 3754->3755 3756 4045cf lstrcpynW lstrlenW 3757 402950 3758 402da6 17 API calls 3757->3758 3760 40295c 3758->3760 3759 402972 3762 406008 2 API calls 3759->3762 3760->3759 3761 402da6 17 API calls 3760->3761 3761->3759 3763 402978 3762->3763 3785 40602d GetFileAttributesW CreateFileW 3763->3785 3765 402985 3766 402a3b 3765->3766 3767 4029a0 GlobalAlloc 3765->3767 3768 402a23 3765->3768 3769 402a42 DeleteFileW 3766->3769 3770 402a55 3766->3770 3767->3768 3771 4029b9 3767->3771 3772 4032b4 31 API calls 3768->3772 3769->3770 3786 4034e5 SetFilePointer 3771->3786 3774 402a30 CloseHandle 3772->3774 3774->3766 3775 4029bf 3776 4034cf ReadFile 3775->3776 3777 4029c8 GlobalAlloc 3776->3777 3778 4029d8 3777->3778 3779 402a0c 3777->3779 3780 4032b4 31 API calls 3778->3780 3781 4060df WriteFile 3779->3781 3784 4029e5 3780->3784 3782 402a18 GlobalFree 3781->3782 3782->3768 3783 402a03 GlobalFree 3783->3779 3784->3783 3785->3765 3786->3775 3787 401956 3788 402da6 17 API calls 3787->3788 3789 40195d lstrlenW 3788->3789 3790 402638 3789->3790 3607 4014d7 3608 402d84 17 API calls 3607->3608 3609 4014dd Sleep 3608->3609 3611 402c2a 3609->3611 3612 4020d8 3613 4020ea 3612->3613 3623 40219c 3612->3623 3614 402da6 17 API calls 3613->3614 3616 4020f1 3614->3616 3615 401423 24 API calls 3621 4022f6 3615->3621 3617 402da6 17 API calls 3616->3617 3618 4020fa 3617->3618 3619 402110 LoadLibraryExW 3618->3619 3620 402102 GetModuleHandleW 3618->3620 3622 402121 3619->3622 3619->3623 3620->3619 3620->3622 3632 406979 3622->3632 3623->3615 3626 402132 3629 401423 24 API calls 3626->3629 3630 402142 3626->3630 3627 40216b 3628 40559f 24 API calls 3627->3628 3628->3630 3629->3630 3630->3621 3631 40218e FreeLibrary 3630->3631 3631->3621 3637 40655f WideCharToMultiByte 3632->3637 3634 406996 3635 40699d GetProcAddress 3634->3635 3636 40212c 3634->3636 3635->3636 3636->3626 3636->3627 3637->3634 3791 404658 3792 404670 3791->3792 3798 40478a 3791->3798 3799 404499 18 API calls 3792->3799 3793 4047f4 3794 4048be 3793->3794 3795 4047fe GetDlgItem 3793->3795 3800 404500 8 API calls 3794->3800 3796 404818 3795->3796 3797 40487f 3795->3797 3796->3797 3804 40483e SendMessageW LoadCursorW SetCursor 3796->3804 3797->3794 3805 404891 3797->3805 3798->3793 3798->3794 3801 4047c5 GetDlgItem SendMessageW 3798->3801 3802 4046d7 3799->3802 3803 4048b9 3800->3803 3824 4044bb EnableWindow 3801->3824 3807 404499 18 API calls 3802->3807 3828 404907 3804->3828 3810 4048a7 3805->3810 3811 404897 SendMessageW 3805->3811 3808 4046e4 CheckDlgButton 3807->3808 3822 4044bb EnableWindow 3808->3822 3810->3803 3815 4048ad SendMessageW 3810->3815 3811->3810 3812 4047ef 3825 4048e3 3812->3825 3815->3803 3817 404702 GetDlgItem 3823 4044ce SendMessageW 3817->3823 3819 404718 SendMessageW 3820 404735 GetSysColor 3819->3820 3821 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3819->3821 3820->3821 3821->3803 3822->3817 3823->3819 3824->3812 3826 4048f1 3825->3826 3827 4048f6 SendMessageW 3825->3827 3826->3827 3827->3793 3831 405b63 ShellExecuteExW 3828->3831 3830 40486d LoadCursorW SetCursor 3830->3797 3831->3830 3832 402b59 3833 402b60 3832->3833 3834 402bab 3832->3834 3837 402d84 17 API calls 3833->3837 3840 402ba9 3833->3840 3835 40690a 5 API calls 3834->3835 3836 402bb2 3835->3836 3838 402da6 17 API calls 3836->3838 3839 402b6e 3837->3839 3841 402bbb 3838->3841 3842 402d84 17 API calls 3839->3842 3841->3840 3843 402bbf IIDFromString 3841->3843 3845 402b7a 3842->3845 3843->3840 3844 402bce 3843->3844 3844->3840 3850 40653d lstrcpynW 3844->3850 3849 406484 wsprintfW 3845->3849 3848 402beb CoTaskMemFree 3848->3840 3849->3840 3850->3848 3661 40175c 3662 402da6 17 API calls 3661->3662 3663 401763 3662->3663 3664 40605c 2 API calls 3663->3664 3665 40176a 3664->3665 3666 40605c 2 API calls 3665->3666 3666->3665 3851 401d5d 3852 402d84 17 API calls 3851->3852 3853 401d6e SetWindowLongW 3852->3853 3854 402c2a 3853->3854 3667 4028de 3668 4028e6 3667->3668 3669 4028ea FindNextFileW 3668->3669 3672 4028fc 3668->3672 3670 402943 3669->3670 3669->3672 3673 40653d lstrcpynW 3670->3673 3673->3672 3855 4056de 3856 405888 3855->3856 3857 4056ff GetDlgItem GetDlgItem GetDlgItem 3855->3857 3858 405891 GetDlgItem CreateThread CloseHandle 3856->3858 3859 4058b9 3856->3859 3900 4044ce SendMessageW 3857->3900 3858->3859 3862 4058e4 3859->3862 3863 4058d0 ShowWindow ShowWindow 3859->3863 3864 405909 3859->3864 3861 40576f 3866 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3861->3866 3865 405944 3862->3865 3868 4058f8 3862->3868 3869 40591e ShowWindow 3862->3869 3902 4044ce SendMessageW 3863->3902 3870 404500 8 API calls 3864->3870 3865->3864 3873 405952 SendMessageW 3865->3873 3871 4057e4 3866->3871 3872 4057c8 SendMessageW SendMessageW 3866->3872 3903 404472 3868->3903 3876 405930 3869->3876 3877 40593e 3869->3877 3875 405917 3870->3875 3879 4057f7 3871->3879 3880 4057e9 SendMessageW 3871->3880 3872->3871 3873->3875 3881 40596b CreatePopupMenu 3873->3881 3882 40559f 24 API calls 3876->3882 3878 404472 SendMessageW 3877->3878 3878->3865 3884 404499 18 API calls 3879->3884 3880->3879 3883 40657a 17 API calls 3881->3883 3882->3877 3885 40597b AppendMenuW 3883->3885 3886 405807 3884->3886 3887 405998 GetWindowRect 3885->3887 3888 4059ab TrackPopupMenu 3885->3888 3889 405810 ShowWindow 3886->3889 3890 405844 GetDlgItem SendMessageW 3886->3890 3887->3888 3888->3875 3891 4059c6 3888->3891 3892 405833 3889->3892 3893 405826 ShowWindow 3889->3893 3890->3875 3894 40586b SendMessageW SendMessageW 3890->3894 3895 4059e2 SendMessageW 3891->3895 3901 4044ce SendMessageW 3892->3901 3893->3892 3894->3875 3895->3895 3896 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3895->3896 3898 405a24 SendMessageW 3896->3898 3898->3898 3899 405a4d GlobalUnlock SetClipboardData CloseClipboard 3898->3899 3899->3875 3900->3861 3901->3890 3902->3862 3904 404479 3903->3904 3905 40447f SendMessageW 3903->3905 3904->3905 3905->3864 3906 404ce0 3907 404cf0 3906->3907 3908 404d0c 3906->3908 3917 405b81 GetDlgItemTextW 3907->3917 3910 404d12 SHGetPathFromIDListW 3908->3910 3911 404d3f 3908->3911 3913 404d22 3910->3913 3916 404d29 SendMessageW 3910->3916 3912 404cfd SendMessageW 3912->3908 3915 40140b 2 API calls 3913->3915 3915->3916 3916->3911 3917->3912 3918 401563 3919 402ba4 3918->3919 3922 406484 wsprintfW 3919->3922 3921 402ba9 3922->3921 3923 401968 3924 402d84 17 API calls 3923->3924 3925 40196f 3924->3925 3926 402d84 17 API calls 3925->3926 3927 40197c 3926->3927 3928 402da6 17 API calls 3927->3928 3929 401993 lstrlenW 3928->3929 3930 4019a4 3929->3930 3934 4019e5 3930->3934 3935 40653d lstrcpynW 3930->3935 3932 4019d5 3933 4019da lstrlenW 3932->3933 3932->3934 3933->3934 3935->3932 3936 40166a 3937 402da6 17 API calls 3936->3937 3938 401670 3937->3938 3939 406873 2 API calls 3938->3939 3940 401676 3939->3940 3941 402aeb 3942 402d84 17 API calls 3941->3942 3943 402af1 3942->3943 3944 40657a 17 API calls 3943->3944 3945 40292e 3943->3945 3944->3945 3946 4026ec 3947 402d84 17 API calls 3946->3947 3954 4026fb 3947->3954 3948 402838 3949 402745 ReadFile 3949->3948 3949->3954 3950 4060b0 ReadFile 3950->3954 3951 402785 MultiByteToWideChar 3951->3954 3952 40283a 3968 406484 wsprintfW 3952->3968 3954->3948 3954->3949 3954->3950 3954->3951 3954->3952 3956 4027ab SetFilePointer MultiByteToWideChar 3954->3956 3958 40284b 3954->3958 3959 40610e SetFilePointer 3954->3959 3956->3954 3957 40286c SetFilePointer 3957->3948 3958->3948 3958->3957 3960 40612a 3959->3960 3963 406142 3959->3963 3961 4060b0 ReadFile 3960->3961 3962 406136 3961->3962 3962->3963 3964 406173 SetFilePointer 3962->3964 3965 40614b SetFilePointer 3962->3965 3963->3954 3964->3963 3965->3964 3966 406156 3965->3966 3967 4060df WriteFile 3966->3967 3967->3963 3968->3948 3516 40176f 3517 402da6 17 API calls 3516->3517 3518 401776 3517->3518 3519 401796 3518->3519 3520 40179e 3518->3520 3555 40653d lstrcpynW 3519->3555 3556 40653d lstrcpynW 3520->3556 3523 40179c 3527 4067c4 5 API calls 3523->3527 3524 4017a9 3525 405e0c 3 API calls 3524->3525 3526 4017af lstrcatW 3525->3526 3526->3523 3544 4017bb 3527->3544 3528 406873 2 API calls 3528->3544 3529 406008 2 API calls 3529->3544 3531 4017cd CompareFileTime 3531->3544 3532 40188d 3534 40559f 24 API calls 3532->3534 3533 401864 3535 40559f 24 API calls 3533->3535 3539 401879 3533->3539 3537 401897 3534->3537 3535->3539 3536 40653d lstrcpynW 3536->3544 3538 4032b4 31 API calls 3537->3538 3540 4018aa 3538->3540 3541 4018be SetFileTime 3540->3541 3542 4018d0 CloseHandle 3540->3542 3541->3542 3542->3539 3545 4018e1 3542->3545 3543 40657a 17 API calls 3543->3544 3544->3528 3544->3529 3544->3531 3544->3532 3544->3533 3544->3536 3544->3543 3550 405b9d MessageBoxIndirectW 3544->3550 3554 40602d GetFileAttributesW CreateFileW 3544->3554 3546 4018e6 3545->3546 3547 4018f9 3545->3547 3548 40657a 17 API calls 3546->3548 3549 40657a 17 API calls 3547->3549 3551 4018ee lstrcatW 3548->3551 3552 401901 3549->3552 3550->3544 3551->3552 3553 405b9d MessageBoxIndirectW 3552->3553 3553->3539 3554->3544 3555->3523 3556->3524 3969 401a72 3970 402d84 17 API calls 3969->3970 3971 401a7b 3970->3971 3972 402d84 17 API calls 3971->3972 3973 401a20 3972->3973 3974 401573 3975 401583 ShowWindow 3974->3975 3976 40158c 3974->3976 3975->3976 3977 402c2a 3976->3977 3978 40159a ShowWindow 3976->3978 3978->3977 3979 4023f4 3980 402da6 17 API calls 3979->3980 3981 402403 3980->3981 3982 402da6 17 API calls 3981->3982 3983 40240c 3982->3983 3984 402da6 17 API calls 3983->3984 3985 402416 GetPrivateProfileStringW 3984->3985 3986 4014f5 SetForegroundWindow 3987 402c2a 3986->3987 3988 401ff6 3989 402da6 17 API calls 3988->3989 3990 401ffd 3989->3990 3991 406873 2 API calls 3990->3991 3992 402003 3991->3992 3994 402014 3992->3994 3995 406484 wsprintfW 3992->3995 3995->3994 3996 401b77 3997 402da6 17 API calls 3996->3997 3998 401b7e 3997->3998 3999 402d84 17 API calls 3998->3999 4000 401b87 wsprintfW 3999->4000 4001 402c2a 4000->4001 4002 40167b 4003 402da6 17 API calls 4002->4003 4004 401682 4003->4004 4005 402da6 17 API calls 4004->4005 4006 40168b 4005->4006 4007 402da6 17 API calls 4006->4007 4008 401694 MoveFileW 4007->4008 4009 4016a7 4008->4009 4015 4016a0 4008->4015 4011 406873 2 API calls 4009->4011 4013 4022f6 4009->4013 4010 401423 24 API calls 4010->4013 4012 4016b6 4011->4012 4012->4013 4014 4062fd 36 API calls 4012->4014 4014->4015 4015->4010 4016 4019ff 4017 402da6 17 API calls 4016->4017 4018 401a06 4017->4018 4019 402da6 17 API calls 4018->4019 4020 401a0f 4019->4020 4021 401a16 lstrcmpiW 4020->4021 4022 401a28 lstrcmpW 4020->4022 4023 401a1c 4021->4023 4022->4023 4024 4022ff 4025 402da6 17 API calls 4024->4025 4026 402305 4025->4026 4027 402da6 17 API calls 4026->4027 4028 40230e 4027->4028 4029 402da6 17 API calls 4028->4029 4030 402317 4029->4030 4031 406873 2 API calls 4030->4031 4032 402320 4031->4032 4033 402331 lstrlenW lstrlenW 4032->4033 4037 402324 4032->4037 4035 40559f 24 API calls 4033->4035 4034 40559f 24 API calls 4038 40232c 4034->4038 4036 40236f SHFileOperationW 4035->4036 4036->4037 4036->4038 4037->4034 4037->4038 4039 401000 4040 401037 BeginPaint GetClientRect 4039->4040 4041 40100c DefWindowProcW 4039->4041 4043 4010f3 4040->4043 4046 401179 4041->4046 4044 401073 CreateBrushIndirect FillRect DeleteObject 4043->4044 4045 4010fc 4043->4045 4044->4043 4047 401102 CreateFontIndirectW 4045->4047 4048 401167 EndPaint 4045->4048 4047->4048 4049 401112 6 API calls 4047->4049 4048->4046 4049->4048 4050 401d81 4051 401d94 GetDlgItem 4050->4051 4052 401d87 4050->4052 4054 401d8e 4051->4054 4053 402d84 17 API calls 4052->4053 4053->4054 4056 402da6 17 API calls 4054->4056 4058 401dd5 GetClientRect LoadImageW SendMessageW 4054->4058 4056->4058 4057 401e33 4059 401e38 DeleteObject 4057->4059 4060 401e3f 4057->4060 4058->4057 4058->4060 4059->4060 4061 401503 4062 40150b 4061->4062 4064 40151e 4061->4064 4063 402d84 17 API calls 4062->4063 4063->4064 4065 402383 4066 40238a 4065->4066 4069 40239d 4065->4069 4067 40657a 17 API calls 4066->4067 4068 402397 4067->4068 4070 405b9d MessageBoxIndirectW 4068->4070 4070->4069 4071 402c05 SendMessageW 4072 402c2a 4071->4072 4073 402c1f InvalidateRect 4071->4073 4073->4072 4074 404f06 GetDlgItem GetDlgItem 4075 404f58 7 API calls 4074->4075 4081 40517d 4074->4081 4076 404ff2 SendMessageW 4075->4076 4077 404fff DeleteObject 4075->4077 4076->4077 4078 405008 4077->4078 4079 40503f 4078->4079 4082 40657a 17 API calls 4078->4082 4083 404499 18 API calls 4079->4083 4080 40525f 4084 40530b 4080->4084 4094 4052b8 SendMessageW 4080->4094 4114 405170 4080->4114 4081->4080 4085 4051ec 4081->4085 4128 404e54 SendMessageW 4081->4128 4088 405021 SendMessageW SendMessageW 4082->4088 4089 405053 4083->4089 4086 405315 SendMessageW 4084->4086 4087 40531d 4084->4087 4085->4080 4090 405251 SendMessageW 4085->4090 4086->4087 4096 405336 4087->4096 4097 40532f ImageList_Destroy 4087->4097 4112 405346 4087->4112 4088->4078 4093 404499 18 API calls 4089->4093 4090->4080 4091 404500 8 API calls 4095 40550c 4091->4095 4107 405064 4093->4107 4099 4052cd SendMessageW 4094->4099 4094->4114 4100 40533f GlobalFree 4096->4100 4096->4112 4097->4096 4098 4054c0 4103 4054d2 ShowWindow GetDlgItem ShowWindow 4098->4103 4098->4114 4102 4052e0 4099->4102 4100->4112 4101 40513f GetWindowLongW SetWindowLongW 4104 405158 4101->4104 4113 4052f1 SendMessageW 4102->4113 4103->4114 4105 405175 4104->4105 4106 40515d ShowWindow 4104->4106 4127 4044ce SendMessageW 4105->4127 4126 4044ce SendMessageW 4106->4126 4107->4101 4108 40513a 4107->4108 4111 4050b7 SendMessageW 4107->4111 4115 4050f5 SendMessageW 4107->4115 4116 405109 SendMessageW 4107->4116 4108->4101 4108->4104 4111->4107 4112->4098 4119 405381 4112->4119 4133 404ed4 4112->4133 4113->4084 4114->4091 4115->4107 4116->4107 4118 40548b 4120 405496 InvalidateRect 4118->4120 4123 4054a2 4118->4123 4121 4053af SendMessageW 4119->4121 4122 4053c5 4119->4122 4120->4123 4121->4122 4122->4118 4124 405439 SendMessageW SendMessageW 4122->4124 4123->4098 4142 404e0f 4123->4142 4124->4122 4126->4114 4127->4081 4129 404eb3 SendMessageW 4128->4129 4130 404e77 GetMessagePos ScreenToClient SendMessageW 4128->4130 4132 404eab 4129->4132 4131 404eb0 4130->4131 4130->4132 4131->4129 4132->4085 4145 40653d lstrcpynW 4133->4145 4135 404ee7 4146 406484 wsprintfW 4135->4146 4137 404ef1 4138 40140b 2 API calls 4137->4138 4139 404efa 4138->4139 4147 40653d lstrcpynW 4139->4147 4141 404f01 4141->4119 4148 404d46 4142->4148 4144 404e24 4144->4098 4145->4135 4146->4137 4147->4141 4149 404d5f 4148->4149 4150 40657a 17 API calls 4149->4150 4151 404dc3 4150->4151 4152 40657a 17 API calls 4151->4152 4153 404dce 4152->4153 4154 40657a 17 API calls 4153->4154 4155 404de4 lstrlenW wsprintfW SetDlgItemTextW 4154->4155 4155->4144 3170 401389 3172 401390 3170->3172 3171 4013fe 3172->3171 3173 4013cb MulDiv SendMessageW 3172->3173 3173->3172 4156 404609 lstrlenW 4157 404628 4156->4157 4158 40462a WideCharToMultiByte 4156->4158 4157->4158 3174 40248a 3175 402da6 17 API calls 3174->3175 3176 40249c 3175->3176 3177 402da6 17 API calls 3176->3177 3178 4024a6 3177->3178 3191 402e36 3178->3191 3181 40292e 3182 4024de 3184 4024ea 3182->3184 3195 402d84 3182->3195 3183 402da6 17 API calls 3186 4024d4 lstrlenW 3183->3186 3185 402509 RegSetValueExW 3184->3185 3198 4032b4 3184->3198 3189 40251f RegCloseKey 3185->3189 3186->3182 3189->3181 3192 402e51 3191->3192 3218 4063d8 3192->3218 3196 40657a 17 API calls 3195->3196 3197 402d99 3196->3197 3197->3184 3199 4032cd 3198->3199 3200 4032fb 3199->3200 3225 4034e5 SetFilePointer 3199->3225 3222 4034cf 3200->3222 3204 403468 3206 4034aa 3204->3206 3211 40346c 3204->3211 3205 403318 GetTickCount 3212 403452 3205->3212 3217 403367 3205->3217 3208 4034cf ReadFile 3206->3208 3207 4034cf ReadFile 3207->3217 3208->3212 3209 4034cf ReadFile 3209->3211 3210 4060df WriteFile 3210->3211 3211->3209 3211->3210 3211->3212 3212->3185 3213 4033bd GetTickCount 3213->3217 3214 4033e2 MulDiv wsprintfW 3215 40559f 24 API calls 3214->3215 3215->3217 3216 4060df WriteFile 3216->3217 3217->3207 3217->3212 3217->3213 3217->3214 3217->3216 3219 4063e7 3218->3219 3220 4063f2 RegCreateKeyExW 3219->3220 3221 4024b6 3219->3221 3220->3221 3221->3181 3221->3182 3221->3183 3223 4060b0 ReadFile 3222->3223 3224 403306 3223->3224 3224->3204 3224->3205 3224->3212 3225->3200 4159 40498a 4160 4049b6 4159->4160 4161 4049c7 4159->4161 4220 405b81 GetDlgItemTextW 4160->4220 4163 4049d3 GetDlgItem 4161->4163 4168 404a32 4161->4168 4166 4049e7 4163->4166 4164 404b16 4218 404cc5 4164->4218 4222 405b81 GetDlgItemTextW 4164->4222 4165 4049c1 4167 4067c4 5 API calls 4165->4167 4170 4049fb SetWindowTextW 4166->4170 4171 405eb7 4 API calls 4166->4171 4167->4161 4168->4164 4172 40657a 17 API calls 4168->4172 4168->4218 4174 404499 18 API calls 4170->4174 4176 4049f1 4171->4176 4177 404aa6 SHBrowseForFolderW 4172->4177 4173 404b46 4178 405f14 18 API calls 4173->4178 4179 404a17 4174->4179 4175 404500 8 API calls 4180 404cd9 4175->4180 4176->4170 4184 405e0c 3 API calls 4176->4184 4177->4164 4181 404abe CoTaskMemFree 4177->4181 4182 404b4c 4178->4182 4183 404499 18 API calls 4179->4183 4185 405e0c 3 API calls 4181->4185 4223 40653d lstrcpynW 4182->4223 4186 404a25 4183->4186 4184->4170 4187 404acb 4185->4187 4221 4044ce SendMessageW 4186->4221 4190 404b02 SetDlgItemTextW 4187->4190 4195 40657a 17 API calls 4187->4195 4190->4164 4191 404a2b 4193 40690a 5 API calls 4191->4193 4192 404b63 4194 40690a 5 API calls 4192->4194 4193->4168 4202 404b6a 4194->4202 4196 404aea lstrcmpiW 4195->4196 4196->4190 4199 404afb lstrcatW 4196->4199 4197 404bab 4224 40653d lstrcpynW 4197->4224 4199->4190 4200 404bb2 4201 405eb7 4 API calls 4200->4201 4203 404bb8 GetDiskFreeSpaceW 4201->4203 4202->4197 4205 405e58 2 API calls 4202->4205 4207 404c03 4202->4207 4206 404bdc MulDiv 4203->4206 4203->4207 4205->4202 4206->4207 4208 404c74 4207->4208 4210 404e0f 20 API calls 4207->4210 4209 404c97 4208->4209 4211 40140b 2 API calls 4208->4211 4225 4044bb EnableWindow 4209->4225 4212 404c61 4210->4212 4211->4209 4214 404c76 SetDlgItemTextW 4212->4214 4215 404c66 4212->4215 4214->4208 4217 404d46 20 API calls 4215->4217 4216 404cb3 4216->4218 4219 4048e3 SendMessageW 4216->4219 4217->4208 4218->4175 4219->4218 4220->4165 4221->4191 4222->4173 4223->4192 4224->4200 4225->4216 3259 40290b 3260 402da6 17 API calls 3259->3260 3261 402912 FindFirstFileW 3260->3261 3262 40293a 3261->3262 3266 402925 3261->3266 3267 406484 wsprintfW 3262->3267 3264 402943 3268 40653d lstrcpynW 3264->3268 3267->3264 3268->3266 4226 40190c 4227 401943 4226->4227 4228 402da6 17 API calls 4227->4228 4229 401948 4228->4229 4230 405c49 67 API calls 4229->4230 4231 401951 4230->4231 4232 40190f 4233 402da6 17 API calls 4232->4233 4234 401916 4233->4234 4235 405b9d MessageBoxIndirectW 4234->4235 4236 40191f 4235->4236 3557 402891 3558 402898 3557->3558 3560 402ba9 3557->3560 3559 402d84 17 API calls 3558->3559 3561 40289f 3559->3561 3562 4028ae SetFilePointer 3561->3562 3562->3560 3563 4028be 3562->3563 3565 406484 wsprintfW 3563->3565 3565->3560 4237 401491 4238 40559f 24 API calls 4237->4238 4239 401498 4238->4239 3566 403b12 3567 403b2a 3566->3567 3568 403b1c CloseHandle 3566->3568 3573 403b57 3567->3573 3568->3567 3571 405c49 67 API calls 3572 403b3b 3571->3572 3575 403b65 3573->3575 3574 403b2f 3574->3571 3575->3574 3576 403b6a FreeLibrary GlobalFree 3575->3576 3576->3574 3576->3576 4240 401f12 4241 402da6 17 API calls 4240->4241 4242 401f18 4241->4242 4243 402da6 17 API calls 4242->4243 4244 401f21 4243->4244 4245 402da6 17 API calls 4244->4245 4246 401f2a 4245->4246 4247 402da6 17 API calls 4246->4247 4248 401f33 4247->4248 4249 401423 24 API calls 4248->4249 4250 401f3a 4249->4250 4257 405b63 ShellExecuteExW 4250->4257 4252 401f82 4253 40292e 4252->4253 4254 4069b5 5 API calls 4252->4254 4255 401f9f CloseHandle 4254->4255 4255->4253 4257->4252 4258 405513 4259 405523 4258->4259 4260 405537 4258->4260 4261 405580 4259->4261 4262 405529 4259->4262 4263 40553f IsWindowVisible 4260->4263 4269 405556 4260->4269 4264 405585 CallWindowProcW 4261->4264 4265 4044e5 SendMessageW 4262->4265 4263->4261 4266 40554c 4263->4266 4267 405533 4264->4267 4265->4267 4268 404e54 5 API calls 4266->4268 4268->4269 4269->4264 4270 404ed4 4 API calls 4269->4270 4270->4261 4271 402f93 4272 402fa5 SetTimer 4271->4272 4273 402fbe 4271->4273 4272->4273 4274 403013 4273->4274 4275 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4273->4275 4275->4274 4276 401d17 4277 402d84 17 API calls 4276->4277 4278 401d1d IsWindow 4277->4278 4279 401a20 4278->4279 4280 403f9a 4281 403fb2 4280->4281 4282 404113 4280->4282 4281->4282 4283 403fbe 4281->4283 4284 404164 4282->4284 4285 404124 GetDlgItem GetDlgItem 4282->4285 4286 403fc9 SetWindowPos 4283->4286 4287 403fdc 4283->4287 4289 4041be 4284->4289 4300 401389 2 API calls 4284->4300 4288 404499 18 API calls 4285->4288 4286->4287 4291 403fe5 ShowWindow 4287->4291 4292 404027 4287->4292 4293 40414e SetClassLongW 4288->4293 4290 4044e5 SendMessageW 4289->4290 4294 40410e 4289->4294 4322 4041d0 4290->4322 4295 4040d1 4291->4295 4296 404005 GetWindowLongW 4291->4296 4297 404046 4292->4297 4298 40402f DestroyWindow 4292->4298 4299 40140b 2 API calls 4293->4299 4301 404500 8 API calls 4295->4301 4296->4295 4302 40401e ShowWindow 4296->4302 4304 40404b SetWindowLongW 4297->4304 4305 40405c 4297->4305 4303 404422 4298->4303 4299->4284 4306 404196 4300->4306 4301->4294 4302->4292 4303->4294 4311 404453 ShowWindow 4303->4311 4304->4294 4305->4295 4310 404068 GetDlgItem 4305->4310 4306->4289 4307 40419a SendMessageW 4306->4307 4307->4294 4308 40140b 2 API calls 4308->4322 4309 404424 DestroyWindow EndDialog 4309->4303 4312 404096 4310->4312 4313 404079 SendMessageW IsWindowEnabled 4310->4313 4311->4294 4315 4040a3 4312->4315 4316 4040ea SendMessageW 4312->4316 4317 4040b6 4312->4317 4325 40409b 4312->4325 4313->4294 4313->4312 4314 40657a 17 API calls 4314->4322 4315->4316 4315->4325 4316->4295 4320 4040d3 4317->4320 4321 4040be 4317->4321 4318 404472 SendMessageW 4318->4295 4319 404499 18 API calls 4319->4322 4324 40140b 2 API calls 4320->4324 4323 40140b 2 API calls 4321->4323 4322->4294 4322->4308 4322->4309 4322->4314 4322->4319 4326 404499 18 API calls 4322->4326 4342 404364 DestroyWindow 4322->4342 4323->4325 4324->4325 4325->4295 4325->4318 4327 40424b GetDlgItem 4326->4327 4328 404260 4327->4328 4329 404268 ShowWindow EnableWindow 4327->4329 4328->4329 4351 4044bb EnableWindow 4329->4351 4331 404292 EnableWindow 4336 4042a6 4331->4336 4332 4042ab GetSystemMenu EnableMenuItem SendMessageW 4333 4042db SendMessageW 4332->4333 4332->4336 4333->4336 4335 403f7b 18 API calls 4335->4336 4336->4332 4336->4335 4352 4044ce SendMessageW 4336->4352 4353 40653d lstrcpynW 4336->4353 4338 40430a lstrlenW 4339 40657a 17 API calls 4338->4339 4340 404320 SetWindowTextW 4339->4340 4341 401389 2 API calls 4340->4341 4341->4322 4342->4303 4343 40437e CreateDialogParamW 4342->4343 4343->4303 4344 4043b1 4343->4344 4345 404499 18 API calls 4344->4345 4346 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4345->4346 4347 401389 2 API calls 4346->4347 4348 404402 4347->4348 4348->4294 4349 40440a ShowWindow 4348->4349 4350 4044e5 SendMessageW 4349->4350 4350->4303 4351->4331 4352->4336 4353->4338 3638 401b9b 3639 401ba8 3638->3639 3640 401bec 3638->3640 3643 401c31 3639->3643 3648 401bbf 3639->3648 3641 401bf1 3640->3641 3642 401c16 GlobalAlloc 3640->3642 3656 40239d 3641->3656 3659 40653d lstrcpynW 3641->3659 3645 40657a 17 API calls 3642->3645 3644 40657a 17 API calls 3643->3644 3643->3656 3646 402397 3644->3646 3645->3643 3652 405b9d MessageBoxIndirectW 3646->3652 3657 40653d lstrcpynW 3648->3657 3650 401c03 GlobalFree 3650->3656 3651 401bce 3658 40653d lstrcpynW 3651->3658 3652->3656 3654 401bdd 3660 40653d lstrcpynW 3654->3660 3657->3651 3658->3654 3659->3650 3660->3656 4354 40261c 4355 402da6 17 API calls 4354->4355 4356 402623 4355->4356 4359 40602d GetFileAttributesW CreateFileW 4356->4359 4358 40262f 4359->4358 3674 40259e 3675 402de6 17 API calls 3674->3675 3676 4025a8 3675->3676 3677 402d84 17 API calls 3676->3677 3678 4025b1 3677->3678 3679 4025d9 RegEnumValueW 3678->3679 3680 4025cd RegEnumKeyW 3678->3680 3682 40292e 3678->3682 3681 4025ee RegCloseKey 3679->3681 3680->3681 3681->3682 4360 40149e 4361 4014ac PostQuitMessage 4360->4361 4362 40239d 4360->4362 4361->4362 4363 4015a3 4364 402da6 17 API calls 4363->4364 4365 4015aa SetFileAttributesW 4364->4365 4366 4015bc 4365->4366 3144 401fa4 3145 402da6 17 API calls 3144->3145 3146 401faa 3145->3146 3147 40559f 24 API calls 3146->3147 3148 401fb4 3147->3148 3157 405b20 CreateProcessW 3148->3157 3153 40292e 3154 401fcf 3156 401fdd CloseHandle 3154->3156 3165 406484 wsprintfW 3154->3165 3156->3153 3158 405b53 CloseHandle 3157->3158 3159 401fba 3157->3159 3158->3159 3159->3153 3159->3156 3160 4069b5 WaitForSingleObject 3159->3160 3161 4069cf 3160->3161 3162 4069e1 GetExitCodeProcess 3161->3162 3166 406946 3161->3166 3162->3154 3165->3156 3167 406963 PeekMessageW 3166->3167 3168 406973 WaitForSingleObject 3167->3168 3169 406959 DispatchMessageW 3167->3169 3168->3161 3169->3167 3226 40252a 3237 402de6 3226->3237 3229 402da6 17 API calls 3230 40253d 3229->3230 3231 402548 RegQueryValueExW 3230->3231 3236 40292e 3230->3236 3232 40256e RegCloseKey 3231->3232 3233 402568 3231->3233 3232->3236 3233->3232 3242 406484 wsprintfW 3233->3242 3238 402da6 17 API calls 3237->3238 3239 402dfd 3238->3239 3240 4063aa RegOpenKeyExW 3239->3240 3241 402534 3240->3241 3241->3229 3242->3232 3243 4021aa 3244 402da6 17 API calls 3243->3244 3245 4021b1 3244->3245 3246 402da6 17 API calls 3245->3246 3247 4021bb 3246->3247 3248 402da6 17 API calls 3247->3248 3249 4021c5 3248->3249 3250 402da6 17 API calls 3249->3250 3251 4021cf 3250->3251 3252 402da6 17 API calls 3251->3252 3253 4021d9 3252->3253 3254 402218 CoCreateInstance 3253->3254 3255 402da6 17 API calls 3253->3255 3258 402237 3254->3258 3255->3254 3256 401423 24 API calls 3257 4022f6 3256->3257 3258->3256 3258->3257 4367 40202a 4368 402da6 17 API calls 4367->4368 4369 402031 4368->4369 4370 40690a 5 API calls 4369->4370 4371 402040 4370->4371 4372 40205c GlobalAlloc 4371->4372 4375 4020cc 4371->4375 4373 402070 4372->4373 4372->4375 4374 40690a 5 API calls 4373->4374 4376 402077 4374->4376 4377 40690a 5 API calls 4376->4377 4378 402081 4377->4378 4378->4375 4382 406484 wsprintfW 4378->4382 4380 4020ba 4383 406484 wsprintfW 4380->4383 4382->4380 4383->4375 4384 403baa 4385 403bb5 4384->4385 4386 403bbc GlobalAlloc 4385->4386 4387 403bb9 4385->4387 4386->4387 3269 40352d SetErrorMode GetVersionExW 3270 4035b7 3269->3270 3271 40357f GetVersionExW 3269->3271 3272 403610 3270->3272 3273 40690a 5 API calls 3270->3273 3271->3270 3274 40689a 3 API calls 3272->3274 3273->3272 3275 403626 lstrlenA 3274->3275 3275->3272 3276 403636 3275->3276 3277 40690a 5 API calls 3276->3277 3278 40363d 3277->3278 3279 40690a 5 API calls 3278->3279 3280 403644 3279->3280 3281 40690a 5 API calls 3280->3281 3285 403650 #17 OleInitialize SHGetFileInfoW 3281->3285 3284 40369d GetCommandLineW 3360 40653d lstrcpynW 3284->3360 3359 40653d lstrcpynW 3285->3359 3287 4036af 3288 405e39 CharNextW 3287->3288 3289 4036d5 CharNextW 3288->3289 3301 4036e6 3289->3301 3290 4037e4 3291 4037f8 GetTempPathW 3290->3291 3361 4034fc 3291->3361 3293 403810 3295 403814 GetWindowsDirectoryW lstrcatW 3293->3295 3296 40386a DeleteFileW 3293->3296 3294 405e39 CharNextW 3294->3301 3297 4034fc 12 API calls 3295->3297 3371 40307d GetTickCount GetModuleFileNameW 3296->3371 3299 403830 3297->3299 3299->3296 3302 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3299->3302 3300 40387d 3304 403a59 ExitProcess CoUninitialize 3300->3304 3306 403932 3300->3306 3314 405e39 CharNextW 3300->3314 3301->3290 3301->3294 3303 4037e6 3301->3303 3305 4034fc 12 API calls 3302->3305 3456 40653d lstrcpynW 3303->3456 3308 403a69 3304->3308 3309 403a7e 3304->3309 3313 403862 3305->3313 3399 403bec 3306->3399 3461 405b9d 3308->3461 3311 403a86 GetCurrentProcess OpenProcessToken 3309->3311 3312 403afc ExitProcess 3309->3312 3317 403acc 3311->3317 3318 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3311->3318 3313->3296 3313->3304 3328 40389f 3314->3328 3321 40690a 5 API calls 3317->3321 3318->3317 3319 403941 3319->3304 3324 403ad3 3321->3324 3322 403908 3325 405f14 18 API calls 3322->3325 3323 403949 3327 405b08 5 API calls 3323->3327 3326 403ae8 ExitWindowsEx 3324->3326 3330 403af5 3324->3330 3329 403914 3325->3329 3326->3312 3326->3330 3331 40394e lstrcatW 3327->3331 3328->3322 3328->3323 3329->3304 3457 40653d lstrcpynW 3329->3457 3465 40140b 3330->3465 3332 40396a lstrcatW lstrcmpiW 3331->3332 3333 40395f lstrcatW 3331->3333 3332->3319 3335 40398a 3332->3335 3333->3332 3337 403996 3335->3337 3338 40398f 3335->3338 3341 405aeb 2 API calls 3337->3341 3340 405a6e 4 API calls 3338->3340 3339 403927 3458 40653d lstrcpynW 3339->3458 3343 403994 3340->3343 3344 40399b SetCurrentDirectoryW 3341->3344 3343->3344 3345 4039b8 3344->3345 3346 4039ad 3344->3346 3460 40653d lstrcpynW 3345->3460 3459 40653d lstrcpynW 3346->3459 3349 40657a 17 API calls 3350 4039fa DeleteFileW 3349->3350 3351 403a06 CopyFileW 3350->3351 3356 4039c5 3350->3356 3351->3356 3352 403a50 3354 4062fd 36 API calls 3352->3354 3353 4062fd 36 API calls 3353->3356 3354->3319 3355 40657a 17 API calls 3355->3356 3356->3349 3356->3352 3356->3353 3356->3355 3357 405b20 2 API calls 3356->3357 3358 403a3a CloseHandle 3356->3358 3357->3356 3358->3356 3359->3284 3360->3287 3362 4067c4 5 API calls 3361->3362 3364 403508 3362->3364 3363 403512 3363->3293 3364->3363 3365 405e0c 3 API calls 3364->3365 3366 40351a 3365->3366 3367 405aeb 2 API calls 3366->3367 3368 403520 3367->3368 3468 40605c 3368->3468 3472 40602d GetFileAttributesW CreateFileW 3371->3472 3373 4030bd 3391 4030cd 3373->3391 3473 40653d lstrcpynW 3373->3473 3375 4030e3 3376 405e58 2 API calls 3375->3376 3377 4030e9 3376->3377 3474 40653d lstrcpynW 3377->3474 3379 4030f4 GetFileSize 3380 4031ee 3379->3380 3398 40310b 3379->3398 3475 403019 3380->3475 3382 4031f7 3384 403227 GlobalAlloc 3382->3384 3382->3391 3487 4034e5 SetFilePointer 3382->3487 3383 4034cf ReadFile 3383->3398 3486 4034e5 SetFilePointer 3384->3486 3386 40325a 3388 403019 6 API calls 3386->3388 3388->3391 3389 403210 3392 4034cf ReadFile 3389->3392 3390 403242 3393 4032b4 31 API calls 3390->3393 3391->3300 3394 40321b 3392->3394 3396 40324e 3393->3396 3394->3384 3394->3391 3395 403019 6 API calls 3395->3398 3396->3391 3396->3396 3397 40328b SetFilePointer 3396->3397 3397->3391 3398->3380 3398->3383 3398->3386 3398->3391 3398->3395 3400 40690a 5 API calls 3399->3400 3401 403c00 3400->3401 3402 403c06 3401->3402 3403 403c18 3401->3403 3496 406484 wsprintfW 3402->3496 3404 40640b 3 API calls 3403->3404 3405 403c48 3404->3405 3406 403c67 lstrcatW 3405->3406 3408 40640b 3 API calls 3405->3408 3409 403c16 3406->3409 3408->3406 3488 403ec2 3409->3488 3412 405f14 18 API calls 3413 403c99 3412->3413 3414 403d2d 3413->3414 3416 40640b 3 API calls 3413->3416 3415 405f14 18 API calls 3414->3415 3417 403d33 3415->3417 3419 403ccb 3416->3419 3418 403d43 LoadImageW 3417->3418 3420 40657a 17 API calls 3417->3420 3421 403de9 3418->3421 3422 403d6a RegisterClassW 3418->3422 3419->3414 3423 403cec lstrlenW 3419->3423 3427 405e39 CharNextW 3419->3427 3420->3418 3426 40140b 2 API calls 3421->3426 3424 403da0 SystemParametersInfoW CreateWindowExW 3422->3424 3425 403df3 3422->3425 3428 403d20 3423->3428 3429 403cfa lstrcmpiW 3423->3429 3424->3421 3425->3319 3430 403def 3426->3430 3431 403ce9 3427->3431 3433 405e0c 3 API calls 3428->3433 3429->3428 3432 403d0a GetFileAttributesW 3429->3432 3430->3425 3435 403ec2 18 API calls 3430->3435 3431->3423 3434 403d16 3432->3434 3436 403d26 3433->3436 3434->3428 3437 405e58 2 API calls 3434->3437 3438 403e00 3435->3438 3497 40653d lstrcpynW 3436->3497 3437->3428 3440 403e0c ShowWindow 3438->3440 3441 403e8f 3438->3441 3443 40689a 3 API calls 3440->3443 3498 405672 OleInitialize 3441->3498 3445 403e24 3443->3445 3444 403e95 3446 403eb1 3444->3446 3447 403e99 3444->3447 3448 403e32 GetClassInfoW 3445->3448 3450 40689a 3 API calls 3445->3450 3449 40140b 2 API calls 3446->3449 3447->3425 3454 40140b 2 API calls 3447->3454 3451 403e46 GetClassInfoW RegisterClassW 3448->3451 3452 403e5c DialogBoxParamW 3448->3452 3449->3425 3450->3448 3451->3452 3453 40140b 2 API calls 3452->3453 3455 403e84 3453->3455 3454->3425 3455->3425 3456->3291 3457->3339 3458->3306 3459->3345 3460->3356 3462 405bb2 3461->3462 3463 403a76 ExitProcess 3462->3463 3464 405bc6 MessageBoxIndirectW 3462->3464 3464->3463 3466 401389 2 API calls 3465->3466 3467 401420 3466->3467 3467->3312 3469 406069 GetTickCount GetTempFileNameW 3468->3469 3470 40352b 3469->3470 3471 40609f 3469->3471 3470->3293 3471->3469 3471->3470 3472->3373 3473->3375 3474->3379 3476 403022 3475->3476 3477 40303a 3475->3477 3478 403032 3476->3478 3479 40302b DestroyWindow 3476->3479 3480 403042 3477->3480 3481 40304a GetTickCount 3477->3481 3478->3382 3479->3478 3482 406946 2 API calls 3480->3482 3483 403058 CreateDialogParamW ShowWindow 3481->3483 3484 40307b 3481->3484 3485 403048 3482->3485 3483->3484 3484->3382 3485->3382 3486->3390 3487->3389 3489 403ed6 3488->3489 3505 406484 wsprintfW 3489->3505 3491 403f47 3506 403f7b 3491->3506 3493 403c77 3493->3412 3494 403f4c 3494->3493 3495 40657a 17 API calls 3494->3495 3495->3494 3496->3409 3497->3414 3509 4044e5 3498->3509 3500 4056bc 3501 4044e5 SendMessageW 3500->3501 3503 4056ce OleUninitialize 3501->3503 3502 405695 3502->3500 3512 401389 3502->3512 3503->3444 3505->3491 3507 40657a 17 API calls 3506->3507 3508 403f89 SetWindowTextW 3507->3508 3508->3494 3510 4044fd 3509->3510 3511 4044ee SendMessageW 3509->3511 3510->3502 3511->3510 3514 401390 3512->3514 3513 4013fe 3513->3502 3514->3513 3515 4013cb MulDiv SendMessageW 3514->3515 3515->3514 4388 401a30 4389 402da6 17 API calls 4388->4389 4390 401a39 ExpandEnvironmentStringsW 4389->4390 4391 401a4d 4390->4391 4393 401a60 4390->4393 4392 401a52 lstrcmpW 4391->4392 4391->4393 4392->4393 4399 4023b2 4400 4023ba 4399->4400 4402 4023c0 4399->4402 4401 402da6 17 API calls 4400->4401 4401->4402 4403 402da6 17 API calls 4402->4403 4404 4023ce 4402->4404 4403->4404 4405 4023dc 4404->4405 4406 402da6 17 API calls 4404->4406 4407 402da6 17 API calls 4405->4407 4406->4405 4408 4023e5 WritePrivateProfileStringW 4407->4408 3577 402434 3578 402467 3577->3578 3579 40243c 3577->3579 3580 402da6 17 API calls 3578->3580 3581 402de6 17 API calls 3579->3581 3582 40246e 3580->3582 3583 402443 3581->3583 3588 402e64 3582->3588 3585 40247b 3583->3585 3586 402da6 17 API calls 3583->3586 3587 402454 RegDeleteValueW RegCloseKey 3586->3587 3587->3585 3589 402e71 3588->3589 3590 402e78 3588->3590 3589->3585 3590->3589 3592 402ea9 3590->3592 3593 4063aa RegOpenKeyExW 3592->3593 3594 402ed7 3593->3594 3595 402ee1 3594->3595 3596 402f8c 3594->3596 3597 402ee7 RegEnumValueW 3595->3597 3604 402f0a 3595->3604 3596->3589 3598 402f71 RegCloseKey 3597->3598 3597->3604 3598->3596 3599 402f46 RegEnumKeyW 3600 402f4f RegCloseKey 3599->3600 3599->3604 3601 40690a 5 API calls 3600->3601 3603 402f5f 3601->3603 3602 402ea9 6 API calls 3602->3604 3605 402f81 3603->3605 3606 402f63 RegDeleteKeyW 3603->3606 3604->3598 3604->3599 3604->3600 3604->3602 3605->3596 3606->3596 4409 401735 4410 402da6 17 API calls 4409->4410 4411 40173c SearchPathW 4410->4411 4412 401757 4411->4412 4413 401d38 4414 402d84 17 API calls 4413->4414 4415 401d3f 4414->4415 4416 402d84 17 API calls 4415->4416 4417 401d4b GetDlgItem 4416->4417 4418 402638 4417->4418 4419 4014b8 4420 4014be 4419->4420 4421 401389 2 API calls 4420->4421 4422 4014c6 4421->4422 4423 40263e 4424 402652 4423->4424 4425 40266d 4423->4425 4426 402d84 17 API calls 4424->4426 4427 402672 4425->4427 4428 40269d 4425->4428 4435 402659 4426->4435 4429 402da6 17 API calls 4427->4429 4430 402da6 17 API calls 4428->4430 4432 402679 4429->4432 4431 4026a4 lstrlenW 4430->4431 4431->4435 4440 40655f WideCharToMultiByte 4432->4440 4434 40268d lstrlenA 4434->4435 4436 4026d1 4435->4436 4437 4026e7 4435->4437 4439 40610e 5 API calls 4435->4439 4436->4437 4438 4060df WriteFile 4436->4438 4438->4437 4439->4436 4440->4434

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 0040352D Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 ExitProcess CoUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 72 403a69-403a78 call 405b9d ExitProcess 65->72 73 403a7e-403a84 65->73 66->54 66->67 67->54 88 4038f9-403906 69->88 89 4038a9-4038de 69->89 84 403941-403944 70->84 75 403a86-403a9b GetCurrentProcess OpenProcessToken 73->75 76 403afc-403b04 73->76 81 403acc-403ada call 40690a 75->81 82 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 85 403b06 76->85 86 403b09-403b0c ExitProcess 76->86 95 403ae8-403af3 ExitWindowsEx 81->95 96 403adc-403ae6 81->96 82->81 84->65 85->86 90 403908-403916 call 405f14 88->90 91 403949-40395d call 405b08 lstrcatW 88->91 93 4038e0-4038e4 89->93 90->65 106 40391c-403932 call 40653d * 2 90->106 104 40396a-403984 lstrcatW lstrcmpiW 91->104 105 40395f-403965 lstrcatW 91->105 98 4038e6-4038eb 93->98 99 4038ed-4038f5 93->99 95->76 102 403af5-403af7 call 40140b 95->102 96->95 96->102 98->99 100 4038f7 98->100 99->93 99->100 100->88 102->76 109 403a57 104->109 110 40398a-40398d 104->110 105->104 106->70 109->65 112 403996 call 405aeb 110->112 113 40398f-403994 call 405a6e 110->113 119 40399b-4039ab SetCurrentDirectoryW 112->119 113->119 121 4039b8-4039e4 call 40653d 119->121 122 4039ad-4039b3 call 40653d 119->122 126 4039e9-403a04 call 40657a DeleteFileW 121->126 122->121 129 403a44-403a4e 126->129 130 403a06-403a16 CopyFileW 126->130 129->126 132 403a50-403a52 call 4062fd 129->132 130->129 131 403a18-403a38 call 4062fd call 40657a call 405b20 130->131 131->129 140 403a3a-403a41 CloseHandle 131->140 132->109 140->129
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                                                                                                                                                    • CharNextW.USER32(00000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000020,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000000), ref: 004036D6
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,00442800,00000000,?), ref: 00403809
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(00442800,000003FB), ref: 0040381A
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,\Temp), ref: 00403826
                                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,00442800,00442800,\Temp), ref: 0040383A
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,Low), ref: 00403842
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,00442800,00442800,Low), ref: 00403853
                                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,00442800), ref: 0040385B
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00442000), ref: 0040386F
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,~nsu,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403956
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,0040A26C,00442800,~nsu,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403965
                                                                                                                                                                                                      • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,.tmp,00442800,~nsu,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403970
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(00442800,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,00442800,.tmp,00442800,~nsu,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 0040397C
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00442800,00442800), ref: 0040399C
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,0042AA28,00000001), ref: 00403A0E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                                                                                                                                                                                    • ExitProcess.KERNEL32(?), ref: 00403A59
                                                                                                                                                                                                    • CoUninitialize.COMBASE(?), ref: 00403A5E
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A78
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B0C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                                    • String ID: .tmp$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService$C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe /S /updateRecovery=true$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                    • API String ID: 2292928366-2884835453
                                                                                                                                                                                                    • Opcode ID: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                                    • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                                                                                                                                                    Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 282 405c49-405c6f call 405f14 285 405c71-405c83 DeleteFileW 282->285 286 405c88-405c8f 282->286 287 405e05-405e09 285->287 288 405c91-405c93 286->288 289 405ca2-405cb2 call 40653d 286->289 290 405db3-405db8 288->290 291 405c99-405c9c 288->291 297 405cc1-405cc2 call 405e58 289->297 298 405cb4-405cbf lstrcatW 289->298 290->287 293 405dba-405dbd 290->293 291->289 291->290 295 405dc7-405dcf call 406873 293->295 296 405dbf-405dc5 293->296 295->287 306 405dd1-405de5 call 405e0c call 405c01 295->306 296->287 300 405cc7-405ccb 297->300 298->300 302 405cd7-405cdd lstrcatW 300->302 303 405ccd-405cd5 300->303 305 405ce2-405cfe lstrlenW FindFirstFileW 302->305 303->302 303->305 307 405d04-405d0c 305->307 308 405da8-405dac 305->308 322 405de7-405dea 306->322 323 405dfd-405e00 call 40559f 306->323 310 405d2c-405d40 call 40653d 307->310 311 405d0e-405d16 307->311 308->290 313 405dae 308->313 324 405d42-405d4a 310->324 325 405d57-405d62 call 405c01 310->325 314 405d18-405d20 311->314 315 405d8b-405d9b FindNextFileW 311->315 313->290 314->310 318 405d22-405d2a 314->318 315->307 321 405da1-405da2 FindClose 315->321 318->310 318->315 321->308 322->296 328 405dec-405dfb call 40559f call 4062fd 322->328 323->287 324->315 329 405d4c-405d55 call 405c49 324->329 333 405d83-405d86 call 40559f 325->333 334 405d64-405d67 325->334 328->287 329->315 333->315 337 405d69-405d79 call 40559f call 4062fd 334->337 338 405d7b-405d81 334->338 337->315 338->315
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,74DF3420,00442800,00000000), ref: 00405C72
                                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Windows\TEMP\nsh1036.tmp\*.*,\*.*,C:\Windows\TEMP\nsh1036.tmp\*.*,?,?,74DF3420,00442800,00000000), ref: 00405CBA
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\Windows\TEMP\nsh1036.tmp\*.*,?,?,74DF3420,00442800,00000000), ref: 00405CDD
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Windows\TEMP\nsh1036.tmp\*.*,?,?,74DF3420,00442800,00000000), ref: 00405CE3
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(C:\Windows\TEMP\nsh1036.tmp\*.*,?,?,?,0040A014,?,C:\Windows\TEMP\nsh1036.tmp\*.*,?,?,74DF3420,00442800,00000000), ref: 00405CF3
                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                    • String ID: .$.$C:\Windows\TEMP\nsh1036.tmp\*.*$\*.*
                                                                                                                                                                                                    • API String ID: 2035342205-2751710290
                                                                                                                                                                                                    • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                                    • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                                                                                                                                                    Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(74DF3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800), ref: 0040687E
                                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 0040688A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                                    • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                                    • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                                                                                                                                                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                                    • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                                    • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                                                                                                                                                                                    Function 00403BEC Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 141 403bec-403c04 call 40690a 144 403c06-403c16 call 406484 141->144 145 403c18-403c4f call 40640b 141->145 153 403c72-403c9b call 403ec2 call 405f14 144->153 149 403c51-403c62 call 40640b 145->149 150 403c67-403c6d lstrcatW 145->150 149->150 150->153 159 403ca1-403ca6 153->159 160 403d2d-403d35 call 405f14 153->160 159->160 161 403cac-403cc6 call 40640b 159->161 165 403d43-403d68 LoadImageW 160->165 166 403d37-403d3e call 40657a 160->166 167 403ccb-403cd4 161->167 169 403de9-403df1 call 40140b 165->169 170 403d6a-403d9a RegisterClassW 165->170 166->165 167->160 171 403cd6-403cda 167->171 184 403df3-403df6 169->184 185 403dfb-403e06 call 403ec2 169->185 174 403da0-403de4 SystemParametersInfoW CreateWindowExW 170->174 175 403eb8 170->175 172 403cec-403cf8 lstrlenW 171->172 173 403cdc-403ce9 call 405e39 171->173 179 403d20-403d28 call 405e0c call 40653d 172->179 180 403cfa-403d08 lstrcmpiW 172->180 173->172 174->169 178 403eba-403ec1 175->178 179->160 180->179 183 403d0a-403d14 GetFileAttributesW 180->183 187 403d16-403d18 183->187 188 403d1a-403d1b call 405e58 183->188 184->178 194 403e0c-403e26 ShowWindow call 40689a 185->194 195 403e8f-403e97 call 405672 185->195 187->179 187->188 188->179 202 403e32-403e44 GetClassInfoW 194->202 203 403e28-403e2d call 40689a 194->203 200 403eb1-403eb3 call 40140b 195->200 201 403e99-403e9f 195->201 200->175 201->184 208 403ea5-403eac call 40140b 201->208 206 403e46-403e56 GetClassInfoW RegisterClassW 202->206 207 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 202->207 203->202 206->207 207->178 208->184
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                                      • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,00442800,?,00000000,?), ref: 00403C6D
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 00403CED
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
                                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Wildix\WIService), ref: 00403D54
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$C:\Program Files\Wildix\WIService$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                    • API String ID: 1975747703-3279136279
                                                                                                                                                                                                    • Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                                    • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                                                                                                                                                    Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 215 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 218 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 215->218 219 4030cd-4030d2 215->219 227 4031f0-4031fe call 403019 218->227 228 40310b 218->228 220 4032ad-4032b1 219->220 234 403200-403203 227->234 235 403253-403258 227->235 230 403110-403127 228->230 232 403129 230->232 233 40312b-403134 call 4034cf 230->233 232->233 241 40325a-403262 call 403019 233->241 242 40313a-403141 233->242 237 403205-40321d call 4034e5 call 4034cf 234->237 238 403227-403251 GlobalAlloc call 4034e5 call 4032b4 234->238 235->220 237->235 261 40321f-403225 237->261 238->235 266 403264-403275 238->266 241->235 246 403143-403157 call 405fe8 242->246 247 4031bd-4031c1 242->247 252 4031cb-4031d1 246->252 264 403159-403160 246->264 251 4031c3-4031ca call 403019 247->251 247->252 251->252 257 4031e0-4031e8 252->257 258 4031d3-4031dd call 4069f7 252->258 257->230 265 4031ee 257->265 258->257 261->235 261->238 264->252 270 403162-403169 264->270 265->227 267 403277 266->267 268 40327d-403282 266->268 267->268 271 403283-403289 268->271 270->252 272 40316b-403172 270->272 271->271 273 40328b-4032a6 SetFilePointer call 405fe8 271->273 272->252 274 403174-40317b 272->274 278 4032ab 273->278 274->252 275 40317d-40319d 274->275 275->235 277 4031a3-4031a7 275->277 279 4031a9-4031ad 277->279 280 4031af-4031b7 277->280 278->220 279->265 279->280 280->252 281 4031b9-4031bb 280->281 281->252
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp$C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                                                                                                                                                    • API String ID: 2803837635-3932408702
                                                                                                                                                                                                    • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                                    • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                                                                                                                                                    Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 346 40657a-406585 347 406587-406596 346->347 348 406598-4065ae 346->348 347->348 349 4065b0-4065bd 348->349 350 4065c6-4065cf 348->350 349->350 351 4065bf-4065c2 349->351 352 4065d5 350->352 353 4067aa-4067b5 350->353 351->350 354 4065da-4065e7 352->354 355 4067c0-4067c1 353->355 356 4067b7-4067bb call 40653d 353->356 354->353 357 4065ed-4065f6 354->357 356->355 359 406788 357->359 360 4065fc-406639 357->360 363 406796-406799 359->363 364 40678a-406794 359->364 361 40672c-406731 360->361 362 40663f-406646 360->362 368 406733-406739 361->368 369 406764-406769 361->369 365 406648-40664a 362->365 366 40664b-40664d 362->366 367 40679b-4067a4 363->367 364->367 365->366 370 40668a-40668d 366->370 371 40664f-40666d call 40640b 366->371 367->353 374 4065d7 367->374 375 406749-406755 call 40653d 368->375 376 40673b-406747 call 406484 368->376 372 406778-406786 lstrlenW 369->372 373 40676b-406773 call 40657a 369->373 380 40669d-4066a0 370->380 381 40668f-40669b GetSystemDirectoryW 370->381 385 406672-406676 371->385 372->367 373->372 374->354 384 40675a-406760 375->384 376->384 387 4066a2-4066b0 GetWindowsDirectoryW 380->387 388 406709-40670b 380->388 386 40670d-406711 381->386 384->372 389 406762 384->389 391 406713-406717 385->391 392 40667c-406685 call 40657a 385->392 386->391 393 406724-40672a call 4067c4 386->393 387->388 388->386 390 4066b2-4066ba 388->390 389->393 397 4066d1-4066e7 SHGetSpecialFolderLocation 390->397 398 4066bc-4066c5 390->398 391->393 394 406719-40671f lstrcatW 391->394 392->386 393->372 394->393 399 406705 397->399 400 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 397->400 403 4066cd-4066cf 398->403 399->388 400->386 400->399 403->386 403->397
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
                                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,74DF23A0), ref: 004066A8
                                                                                                                                                                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                    • API String ID: 4260037668-1230650788
                                                                                                                                                                                                    • Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                                    • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                                                                                                                                                    Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 404 4032b4-4032cb 405 4032d4-4032dd 404->405 406 4032cd 404->406 407 4032e6-4032eb 405->407 408 4032df 405->408 406->405 409 4032fb-403308 call 4034cf 407->409 410 4032ed-4032f6 call 4034e5 407->410 408->407 414 4034bd 409->414 415 40330e-403312 409->415 410->409 416 4034bf-4034c0 414->416 417 403468-40346a 415->417 418 403318-403361 GetTickCount 415->418 421 4034c8-4034cc 416->421 419 4034aa-4034ad 417->419 420 40346c-40346f 417->420 422 4034c5 418->422 423 403367-40336f 418->423 424 4034b2-4034bb call 4034cf 419->424 425 4034af 419->425 420->422 426 403471 420->426 422->421 427 403371 423->427 428 403374-403382 call 4034cf 423->428 424->414 438 4034c2 424->438 425->424 431 403474-40347a 426->431 427->428 428->414 437 403388-403391 428->437 434 40347c 431->434 435 40347e-40348c call 4034cf 431->435 434->435 435->414 441 40348e-40349a call 4060df 435->441 440 403397-4033b7 call 406a65 437->440 438->422 446 403460-403462 440->446 447 4033bd-4033d0 GetTickCount 440->447 448 403464-403466 441->448 449 40349c-4034a6 441->449 446->416 450 4033d2-4033da 447->450 451 40341b-40341d 447->451 448->416 449->431 452 4034a8 449->452 453 4033e2-403418 MulDiv wsprintfW call 40559f 450->453 454 4033dc-4033e0 450->454 455 403454-403458 451->455 456 40341f-403423 451->456 452->422 453->451 454->451 454->453 455->423 457 40345e 455->457 459 403425-40342c call 4060df 456->459 460 40343a-403445 456->460 457->422 464 403431-403433 459->464 462 403448-40344c 460->462 462->440 465 403452 462->465 464->448 466 403435-403438 464->466 465->422 466->462
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                                    • String ID: *B$ A$ A$... %d%%$}8@
                                                                                                                                                                                                    • API String ID: 551687249-3029848762
                                                                                                                                                                                                    • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                                    • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 467 40176f-401794 call 402da6 call 405e83 472 401796-40179c call 40653d 467->472 473 40179e-4017b0 call 40653d call 405e0c lstrcatW 467->473 478 4017b5-4017b6 call 4067c4 472->478 473->478 482 4017bb-4017bf 478->482 483 4017c1-4017cb call 406873 482->483 484 4017f2-4017f5 482->484 491 4017dd-4017ef 483->491 492 4017cd-4017db CompareFileTime 483->492 485 4017f7-4017f8 call 406008 484->485 486 4017fd-401819 call 40602d 484->486 485->486 494 40181b-40181e 486->494 495 40188d-4018b6 call 40559f call 4032b4 486->495 491->484 492->491 496 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 494->496 497 40186f-401879 call 40559f 494->497 507 4018b8-4018bc 495->507 508 4018be-4018ca SetFileTime 495->508 496->482 529 401864-401865 496->529 509 401882-401888 497->509 507->508 511 4018d0-4018db CloseHandle 507->511 508->511 512 402c33 509->512 515 4018e1-4018e4 511->515 516 402c2a-402c2d 511->516 517 402c35-402c39 512->517 519 4018e6-4018f7 call 40657a lstrcatW 515->519 520 4018f9-4018fc call 40657a 515->520 516->512 526 401901-4023a2 call 405b9d 519->526 520->526 526->516 526->517 529->509 531 401867-401868 529->531 531->497
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017B0
                                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService$C:\Windows\TEMP\nsh1036.tmp$C:\Windows\TEMP\nsh1036.tmp\System.dll$Call
                                                                                                                                                                                                    • API String ID: 1941528284-1466462256
                                                                                                                                                                                                    • Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                                    • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                                                                                                                                                    Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 533 40689a-4068ba GetSystemDirectoryW 534 4068bc 533->534 535 4068be-4068c0 533->535 534->535 536 4068d1-4068d3 535->536 537 4068c2-4068cb 535->537 539 4068d4-406907 wsprintfW LoadLibraryExW 536->539 537->536 538 4068cd-4068cf 537->538 538->539
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                    • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 540 402ea9-402ed2 call 4063aa 542 402ed7-402edb 540->542 543 402ee1-402ee5 542->543 544 402f8c-402f90 542->544 545 402ee7-402f08 RegEnumValueW 543->545 546 402f0a-402f1d 543->546 545->546 547 402f71-402f7f RegCloseKey 545->547 548 402f46-402f4d RegEnumKeyW 546->548 547->544 549 402f1f-402f21 548->549 550 402f4f-402f61 RegCloseKey call 40690a 548->550 549->547 551 402f23-402f37 call 402ea9 549->551 556 402f81-402f87 550->556 557 402f63-402f6f RegDeleteKeyW 550->557 551->550 558 402f39-402f45 551->558 556->544 557->544 558->548
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                                    • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                                    • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                                                                                                                                                    Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 559 40248a-4024bb call 402da6 * 2 call 402e36 566 4024c1-4024cb 559->566 567 402c2a-402c39 559->567 569 4024cd-4024da call 402da6 lstrlenW 566->569 570 4024de-4024e1 566->570 569->570 573 4024e3-4024f4 call 402d84 570->573 574 4024f5-4024f8 570->574 573->574 575 402509-40251d RegSetValueExW 574->575 576 4024fa-402504 call 4032b4 574->576 580 402522-402603 RegCloseKey 575->580 581 40251f 575->581 576->575 580->567 584 40292e-402935 580->584 581->580 584->567
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Windows\TEMP\nsh1036.tmp,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Windows\TEMP\nsh1036.tmp,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nsh1036.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nsh1036.tmp
                                                                                                                                                                                                    • API String ID: 2655323295-3461681213
                                                                                                                                                                                                    • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                                    • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                                                                                                                                                                                    Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 585 405a6e-405ab9 CreateDirectoryW 586 405abb-405abd 585->586 587 405abf-405acc GetLastError 585->587 588 405ae6-405ae8 586->588 587->588 589 405ace-405ae2 SetFileSecurityW 587->589 589->586 590 405ae4 GetLastError 589->590 590->588
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC5
                                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AE4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                    • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 591 4015c1-4015d5 call 402da6 call 405eb7 596 401631-401634 591->596 597 4015d7-4015ea call 405e39 591->597 599 401663-4022f6 call 401423 596->599 600 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 596->600 605 401604-401607 call 405aeb 597->605 606 4015ec-4015ef 597->606 612 402c2a-402c39 599->612 600->612 618 40165b-40165e 600->618 615 40160c-40160e 605->615 606->605 609 4015f1-4015f8 call 405b08 606->609 609->605 624 4015fa-4015fd call 405a6e 609->624 619 401610-401615 615->619 620 401627-40162f 615->620 618->612 621 401624 619->621 622 401617-401622 GetFileAttributesW 619->622 620->596 620->597 621->620 622->620 622->621 626 401602 624->626 626->615
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                      • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\Wildix\WIService,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00401640
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 1892508949-2436880260
                                                                                                                                                                                                    • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                                    • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                                                                                                                                                    Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 627 405f14-405f2f call 40653d call 405eb7 632 405f31-405f33 627->632 633 405f35-405f42 call 4067c4 627->633 634 405f8d-405f8f 632->634 637 405f52-405f56 633->637 638 405f44-405f4a 633->638 639 405f6c-405f75 lstrlenW 637->639 638->632 640 405f4c-405f50 638->640 641 405f77-405f8b call 405e0c GetFileAttributesW 639->641 642 405f58-405f5f call 406873 639->642 640->632 640->637 641->634 647 405f61-405f64 642->647 648 405f66-405f67 call 405e58 642->648 647->632 647->648 648->639
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800,00000000), ref: 00405F6D
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800), ref: 00405F7D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 3248276644-3404278061
                                                                                                                                                                                                    • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                                    • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                                                                                                                                                    Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 650 40640b-40643d call 4063aa 653 40647b 650->653 654 40643f-40646d RegQueryValueExW RegCloseKey 650->654 656 40647f-406481 653->656 654->653 655 40646f-406473 654->655 655->656 657 406475-406479 655->657 657->653 657->656
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C248), ref: 0040645C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                    • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                                                                                                                                                    Function 0040605C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 658 40605c-406068 659 406069-40609d GetTickCount GetTempFileNameW 658->659 660 4060ac-4060ae 659->660 661 40609f-4060a1 659->661 663 4060a6-4060a9 660->663 661->659 662 4060a3 661->662 662->663
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040607A
                                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,00442000,00442800,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00406095
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                    • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                                    • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                                    • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                                                                                                                                                                                    Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00401C0B
                                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                                    • API String ID: 3292104215-1824292864
                                                                                                                                                                                                    • Opcode ID: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                                    • Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D
                                                                                                                                                                                                    Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72
                                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                                                                                    • String ID: @$C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 165873841-3745962701
                                                                                                                                                                                                    • Opcode ID: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                                    • Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18
                                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                                    • RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nsh1036.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                                    • Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                                    • Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D
                                                                                                                                                                                                    Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                                      • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1655745494-0
                                                                                                                                                                                                    • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                                    • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                                                                                                                                                                                    Function 004069B5 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069DB
                                                                                                                                                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                                    • Opcode ID: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                                    • Instruction ID: f5f2e02d25af80b97bb350a16654da7f97250589dc800b1049f4071f8343982b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CE0D8B1A00118FBDB109F54DE05E9E7B6EDF44750F110033FA01B6590D7B19E25DB94
                                                                                                                                                                                                    Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00402269
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                                    • API String ID: 542301482-2436880260
                                                                                                                                                                                                    • Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                                    • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nsh1036.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                                    • Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                                    • Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D
                                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                                    • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                                    • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                                                                                                                                                    Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegDeleteValueW.KERNELBASE(00000000,00000000,00000033), ref: 00402456
                                                                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000), ref: 0040245F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                                    • Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                                    • Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D
                                                                                                                                                                                                    Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                                    • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                                    • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                                                                                                                                                    Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                                      • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                                      • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                                      • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                                    • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                                                                                                                                                    Function 00403B57 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,74DF3420,00000000,00442800,00403B2F,00403A5E,?), ref: 00403B71
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403B78
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1100898210-0
                                                                                                                                                                                                    • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                                    • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                                                                                                                                                                                    Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                                    Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                    • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                                                                                                                                                    Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Windows\TEMP\nsh1036.tmp\, xrefs: 00403B31
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nsh1036.tmp\
                                                                                                                                                                                                    • API String ID: 2962429428-3900304211
                                                                                                                                                                                                    • Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                                    • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                                                                                                                                                                                                    Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AFF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                    • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                                                                                                                                                    Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                                    • Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                                    • Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D
                                                                                                                                                                                                    Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileFindNext
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2029273394-0
                                                                                                                                                                                                    • Opcode ID: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                                    • Instruction ID: db9f6404ebf4ce2de6069d57e227025b0e6a75b8a6eb25932bbfae1af7e2135c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE0E572A041159BDB11DFA5ED88AAE7374EF40314F20447BD102F61D0E7B85A55AB1D
                                                                                                                                                                                                    Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                    • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                                                                                                                                                                                    Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                    • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                                                                                                                                                    Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                    • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                                                                                                                                                    Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,Call,?), ref: 004063CE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                    • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                                                                                                                                                                                    Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                      • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                                      • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                                    • Opcode ID: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                                    • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                                    • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                                    • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405788
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058D7
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004058DC
                                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405926
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040596B
                                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040599F
                                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A06
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A61
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                                    • Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                                    • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                                                                                                                                                    Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00405000
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00405340
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054FC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                                    • Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                                    • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                                                                                                                                                    Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FF6
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00404035
                                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404281
                                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 0040429C
                                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042B9
                                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                                                                                    • Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                                    • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                                                                                                                                                    Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404738
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404759
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047DB
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040485A
                                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404876
                                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                    • String ID: Call$N
                                                                                                                                                                                                    • API String ID: 3103080414-3438112850
                                                                                                                                                                                                    • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                                    • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                    • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                                    • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                                    • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                                                                                                                                                    Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 00404AF1
                                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Call), ref: 00404AFD
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                                                                                                                                                                                      • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                                      • Part of subcall function 004067C4: CharPrevW.USER32(?,?,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                                                                                                                                                                                      • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                                      • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                                      • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                    • String ID: A$C:\Program Files\Wildix\WIService$Call
                                                                                                                                                                                                    • API String ID: 2624150263-973401783
                                                                                                                                                                                                    • Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                                    • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                                                                                                                                                    Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                                    • Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                                    • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                                                                                                                                                    Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 0040455B
                                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404567
                                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404573
                                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404586
                                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404596
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045B0
                                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                                    • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                                      • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                                    • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                                    • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,74DF23A0), ref: 004055FA
                                                                                                                                                                                                    • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1495540970-0
                                                                                                                                                                                                    • Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                                    • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                                                                                                                                                    Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E77
                                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                    • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                                    • MulDiv.KERNEL32(01858A60,00000064,0185B4D8), ref: 00402FDC
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                                    • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                                    • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                                    • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                                    • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                                                                                                                                                    Function 004067C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                                    • CharNextW.USER32(?,00000000,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                                    • CharPrevW.USER32(?,?,74DF3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                                    • String ID: *?|<>/":
                                                                                                                                                                                                    • API String ID: 589700163-165019052
                                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                                    • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                                    • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                                    • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                                    • Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                                    • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                                    • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                                    • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                                    Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                                    • Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                                    • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                                                                                                                                                    Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,74DF3420,?,00442800,00405C69,?,74DF3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                                    • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                                    • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                                                                                                                                                                                    Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Windows\TEMP\nsh1036.tmp\System.dll), ref: 00402695
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nsh1036.tmp$C:\Windows\TEMP\nsh1036.tmp\System.dll
                                                                                                                                                                                                    • API String ID: 1659193697-4272903124
                                                                                                                                                                                                    • Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                                    • Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E
                                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                                    • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                                    • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                                                                                                                                                    Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00405542
                                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                                                                                                                                                      • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                                    • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                                    • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                                                                                                                                                    Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,004030E9,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,004030E9,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,C:\Users\user\AppData\Local\Temp\nsa8163.tmp\SetupWIService.exe,80000000,00000003), ref: 00405E6E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\nsa8163.tmp, xrefs: 00405E58
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa8163.tmp
                                                                                                                                                                                                    • API String ID: 2709904686-2144395985
                                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                                    • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                                                                                                                                                                                    Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 0000000D.00000002.2686373749.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686314506.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686454306.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686505044.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 0000000D.00000002.2686929841.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_400000_SetupWIService.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                    • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 00007FFD9BD03BF0 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2384601424.00007FFD9BD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD00000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bd00000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: d/_H
                                                                                                                                                                                                    • API String ID: 0-3811915436
                                                                                                                                                                                                    • Opcode ID: 1e5256873736f90b2b31add87f20918f4c90a5c2e25f0cf3e0073b1abca67ea3
                                                                                                                                                                                                    • Instruction ID: c662456a6c279076079321eed4c94c503b4db4e9a24f4812a3ece7c067e5e20a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e5256873736f90b2b31add87f20918f4c90a5c2e25f0cf3e0073b1abca67ea3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85412622B0E6860FE766A77C68654E43BE0EF5A239B0901F7E08DCB1E7ED185942C341
                                                                                                                                                                                                    Function 00007FFD9BAB0FF1 Relevance: .9, Instructions: 863COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 9f4ed062a654d3c199327422675df32b761df1eb85cfd5f2c0036b6bb38e119c
                                                                                                                                                                                                    • Instruction ID: b39bd90c3d2b5fa429b5d9a246ce2d0f77cb76d1534f61eba9b4a6cb4cc4225c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f4ed062a654d3c199327422675df32b761df1eb85cfd5f2c0036b6bb38e119c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0426830B2DB494FE369DB288465A7577E1FF65304F11467DE0AEC72A6DE28F8028B41
                                                                                                                                                                                                    Function 00007FFD9BAB2131 Relevance: .8, Instructions: 803COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 93709c1ff7a07243e8069adb0cd92ab0dadac398e97181bb360c1ae23d48946e
                                                                                                                                                                                                    • Instruction ID: 7690dcd4993c70c6af8cbcd2374c3ebccc293aeca6c58041c69f7a116a14d907
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93709c1ff7a07243e8069adb0cd92ab0dadac398e97181bb360c1ae23d48946e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5042A630B18A098FE758EB6CD4A5A6977F1EF59304F544279D42EC72E6CE29EC02CB41
                                                                                                                                                                                                    Function 00007FFD9BAB0A4D Relevance: .5, Instructions: 499COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d15aa236648389d3d5aef54a874ca4d630eee8406410c218ecb4975ce3ffed79
                                                                                                                                                                                                    • Instruction ID: 90ecea0dd38f0db7aa1c6e815abd075f7100b0260c4179e22dcd92585a136279
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d15aa236648389d3d5aef54a874ca4d630eee8406410c218ecb4975ce3ffed79
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A028C30719A099FE768EB69D460B6573E2FF59304F608278E06DC73E6CE79A801CB44
                                                                                                                                                                                                    Function 00007FFD9BB7062D Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382681092.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bb70000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 63ba68136ea6bb6880d5ebeb5815835984ce2450a7757367fc41197a183c0b6f
                                                                                                                                                                                                    • Instruction ID: ba86ac113a742e49077018a8ea6f321841409e2c034e2d33f0390e21caa3cd19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63ba68136ea6bb6880d5ebeb5815835984ce2450a7757367fc41197a183c0b6f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77C17070B195099FEBA8E768D4A476533F1FF59708F91017AE01EC7AE2CE29AD01C741
                                                                                                                                                                                                    Function 00007FFD9BAB05E8 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 705359bd592e2c449e12e78ff38d53474ac412d3c725dcbc6333a586ed3567c3
                                                                                                                                                                                                    • Instruction ID: f7e06b0330f32273f84421fb58d8b564d239884060580384131e77b87d4b7c62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 705359bd592e2c449e12e78ff38d53474ac412d3c725dcbc6333a586ed3567c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9513630A1F2D95FD316977888A88607FA0EF57310B1942FED0A9CB1B3D569A846C742
                                                                                                                                                                                                    Function 00007FFD9BAB0901 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3c57cb33fcb75293131d175c300811f47c1a9e6ba653c859885ac811a72d970a
                                                                                                                                                                                                    • Instruction ID: dd3e9d72b571135688811839c297216f3ba3c06a2f4ebcdbf22b7b16be94352c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c57cb33fcb75293131d175c300811f47c1a9e6ba653c859885ac811a72d970a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20314D30B159098FDB94FB2CC469A6837E1EF69305B4500B9E40DCB2B6DE28EC41CB41
                                                                                                                                                                                                    Function 00007FFD9BAB1AB2 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b69812d6d1fc3cf2135af5ec1a5c8f7a09712dd2b850194c2b13e6453ab4bdeb
                                                                                                                                                                                                    • Instruction ID: 53d5ded1b4f6f2fe956cdc307579f5bc3a89e0a1a2ad56a85ba5e87f592abfdc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b69812d6d1fc3cf2135af5ec1a5c8f7a09712dd2b850194c2b13e6453ab4bdeb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B314C11B1EA990FD7A1977C48752B17FE1EF66210B0A41FBD058CB1E3ED489C42C742
                                                                                                                                                                                                    Function 00007FFD9BAB1BA5 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bcf58f174d91dd9f8b71226e314f4148761c753c7efb749487407c1f707a9d52
                                                                                                                                                                                                    • Instruction ID: ef95bb1a709b8bdda32bce7aceeb5058ca8849482853de4d096b16666d9735ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcf58f174d91dd9f8b71226e314f4148761c753c7efb749487407c1f707a9d52
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D016131F19A094FD354DB2C68B626133F1EF65225F5102AAE419CB2E6EE5D5C01C742
                                                                                                                                                                                                    Function 00007FFD9BAB19D8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d259cbf331c188ba5a892c8d0ec076af3f61c2a4ce30441bc7ef63aa0cb7daad
                                                                                                                                                                                                    • Instruction ID: 7a98678da9c379aa3c1c15f708ed58f3dbcc4d881cfecdb41a6b521e750b26f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d259cbf331c188ba5a892c8d0ec076af3f61c2a4ce30441bc7ef63aa0cb7daad
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3F05570B0F1890FE761F7B880264943FE1AF17700F0445B8C02CCB2B3E8AD68018B00
                                                                                                                                                                                                    Function 00007FFD9BAB089D Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 38cac9821417892a1e61be02a3d7939c1de02d5301cd5b7838340e763c27782f
                                                                                                                                                                                                    • Instruction ID: acbd89dafa7f473cc4c158a5ef02e002e7f2d5104c8a9a03c0d9888a02e78a15
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38cac9821417892a1e61be02a3d7939c1de02d5301cd5b7838340e763c27782f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05E06520A0D7C50FD752EB3848A95167FF08B4B110B0A0AEFD898DB1B3D46C8A84C323
                                                                                                                                                                                                    Function 00007FFD9BAB08E1 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382409629.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bab0000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 6a8eb25ac0a1ec1ce17b9469195c15cbe69cff02e12e3b232dbbd58c787ba245
                                                                                                                                                                                                    • Instruction ID: 71abc79e2087614de7da531e9f49e87c86fb1dacfe5cfcfd47db4e3b589312df
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a8eb25ac0a1ec1ce17b9469195c15cbe69cff02e12e3b232dbbd58c787ba245
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6CC0121094E43A12EDB032C5B0114F473804B81620F070474E86C451A2D88D5BC20699

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00007FFD9BD0012C Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2384601424.00007FFD9BD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD00000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bd00000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: E)_I
                                                                                                                                                                                                    • API String ID: 0-2284958419
                                                                                                                                                                                                    • Opcode ID: 5dcd7826a91579334b447a8e315e15ba9e54385154c1a6214fa7c4c73f150d94
                                                                                                                                                                                                    • Instruction ID: f5bb72af2f59275aa25f6a4d62b429636f236c74edf7412ac2e418fc8d4c5dac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5dcd7826a91579334b447a8e315e15ba9e54385154c1a6214fa7c4c73f150d94
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5515963B0E2896BD364DABCA8610E87761EF5526930942FBE4C98F0A7DC24B545C384
                                                                                                                                                                                                    Function 00007FFD9BB789F2 Relevance: 6.3, Strings: 5, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000063.00000002.2382681092.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_99_2_7ffd9bb70000_RegAsm.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: A_^S$A_^W$A_^c$A_^k$A_^o
                                                                                                                                                                                                    • API String ID: 0-4288450402
                                                                                                                                                                                                    • Opcode ID: b0f090499f8a760b80f8b9011f05c3036e4def9a9b28354976432b0601aed58a
                                                                                                                                                                                                    • Instruction ID: 86ea95410e7d4bd9e8c2dd8dd97b0ae0d4743939ba69e139ef6952438254f8e4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0f090499f8a760b80f8b9011f05c3036e4def9a9b28354976432b0601aed58a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E113AA2B0D1824BE71766AC78A18D92BD19F563BD71842F3D46CCF0CBDC289806C265