Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
msiexec.exe

Overview

General Information

Sample name:msiexec.exe
Analysis ID:1523484
MD5:c0d3bdde74c1ec82f75681d4d5ed44c8
SHA1:8e743c5c800ce7f26d91c4bc9c5be41ab15d9bf9
SHA256:ea2aa4ed1ff50d0f2e0a9c1df1960265aa28bf8da542469c0530a09b6da445d2
Infos:

Detection

Score:25
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Sigma detected: System File Execution Location Anomaly
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\msiexec.exe" MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\msiexec.exe", CommandLine: "C:\Users\user\Desktop\msiexec.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\msiexec.exe, NewProcessName: C:\Users\user\Desktop\msiexec.exe, OriginalFileName: C:\Users\user\Desktop\msiexec.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\msiexec.exe", ProcessId: 7352, ProcessName: msiexec.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: msiexec.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: msiexec.pdb source: msiexec.exe
Source: Binary string: msiexec.pdbOGPS source: msiexec.exe
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89160680_2_00007FF7E8916068
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89135D40_2_00007FF7E89135D4
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E891819B0_2_00007FF7E891819B
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8913F080_2_00007FF7E8913F08
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8913AF00_2_00007FF7E8913AF0
Source: msiexec.exeBinary or memory string: OriginalFilename vs msiexec.exe
Source: classification engineClassification label: sus25.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89120BC GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,0_2_00007FF7E89120BC
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError,0_2_00007FF7E89191BC
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError,0_2_00007FF7E89191BC
Source: msiexec.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: msiexec.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: msiexec.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: msiexec.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msiexec.pdb source: msiexec.exe
Source: Binary string: msiexec.pdbOGPS source: msiexec.exe
Source: msiexec.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: msiexec.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: msiexec.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: msiexec.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: msiexec.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: msiexec.exeStatic PE information: 0xFE3155BD [Sat Feb 21 07:54:37 2105 UTC]
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8912A08 LoadLibraryW,GetProcAddress,0_2_00007FF7E8912A08
Source: msiexec.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError,0_2_00007FF7E89191BC
Source: C:\Users\user\Desktop\msiexec.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-3472
Source: C:\Users\user\Desktop\msiexec.exeAPI coverage: 6.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_0-3611
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E891A560 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,LoadLibraryExA,memset,FreeLibrary,GetProcAddress,DelayLoadFailureHook,0_2_00007FF7E891A560
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8915934 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError,0_2_00007FF7E8915934
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8912A08 LoadLibraryW,GetProcAddress,0_2_00007FF7E8912A08
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89118FE SetUnhandledExceptionFilter,0_2_00007FF7E89118FE
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89114B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7E89114B4
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8913F08 AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetAce,GetLastError,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetSecurityDescriptorLength,MakeSelfRelativeSD,GetLastError,GetLastError,GetLastError,0_2_00007FF7E8913F08
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E89138C8 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,FreeSid,0_2_00007FF7E89138C8
Source: C:\Users\user\Desktop\msiexec.exeCode function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,GlobalFree,lstrlenW,WriteFile,WriteFile,0_2_00007FF7E8912F1C
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8911AD4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF7E8911AD4
Source: C:\Users\user\Desktop\msiexec.exeCode function: 0_2_00007FF7E8916068 GetVersionExW,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,GlobalFree,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CompareStringW,CompareStringW,CompareStringW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,memset,lstrlenW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoInitialize,CoRegisterClassObject,GlobalFree,OpenEventW,WaitForSingleObject,CloseHandle,GlobalFree,GetCurrentThread,OpenThreadToken,GetLastError,GlobalFree,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,GlobalFree,GlobalFree,CloseHandle,GlobalFree,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,GetLastError,CreateEventW,CloseHandle,GetLastError,GlobalFree,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,GlobalFree,MsgWaitForMultipleObjects,CloseHandle,OpenProcess,PeekMessageW,TranslateMessage,DispatchMessageW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CoRevokeClassObject,CoUninitialize,GlobalFree,GlobalFree,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,0_2_00007FF7E8916068

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		3
Windows Service		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		3
Windows Service		1
Timestomp		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
msiexec.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1523484
Start date and time:2024-10-01 16:56:16 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:msiexec.exe
Detection:SUS
Classification:sus25.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 16
  • Number of non-executed functions: 31
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • VT rate limit hit for: msiexec.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.087580949245158
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:msiexec.exe
File size:176'128 bytes
MD5:c0d3bdde74c1ec82f75681d4d5ed44c8
SHA1:8e743c5c800ce7f26d91c4bc9c5be41ab15d9bf9
SHA256:ea2aa4ed1ff50d0f2e0a9c1df1960265aa28bf8da542469c0530a09b6da445d2
SHA512:e9a0e2e0c5ff36ba58e8b8dc000e5500a61dc4abae55a116a0ed82bdc0e5289642e65cf9dd813b2083198f0678335c30ba76c948c5ade92c7727080571680d08
SSDEEP:3072:MRZHxKGLLqVcNnB2eA8uTx4rfw78X3Ix3V8xOTIKOZDBZcBk:QZHxLqVcL2enw7w3IkxsIKABZcy
TLSH:E704AD5E66E424E8E07A4234D876822690B1BC7217B196EF32D8D67B4F31AD0D53FF21
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F........................................].....................{.............Rich............................PE..d....U1....

File Icon

Icon Hash:fdf5fdd8b3b39b1f

Static PE Info

General

Entrypoint:0x140001200
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xFE3155BD [Sat Feb 21 07:54:37 2105 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:0990a9500ff8df93e0e059ee13e7c796

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCE54E179A0h
dec eax
add esp, 28h
jmp 00007FCE54E170DBh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [0000A2ADh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [000100EAh], ebx
je 00007FCE54E170DCh
dec eax
cmp eax, ebx
jne 00007FCE54E170EFh
mov edi, 00000001h
mov eax, dword ptr [000100E0h]
cmp eax, 01h
jne 00007FCE54E170ECh
lea ecx, dword ptr [eax+1Eh]
call 00007FCE54E17834h
jmp 00007FCE54E17159h
mov ecx, 000003E8h
call dword ptr [0000A163h]
jmp 00007FCE54E17096h
mov eax, dword ptr [000100BBh]
test eax, eax
jne 00007FCE54E17135h
mov dword ptr [000100ADh], 00000001h
dec esp
lea esi, dword ptr [0000A436h]
dec eax
lea ebx, dword ptr [0000A417h]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007FCE54E17101h
test eax, eax
jne 00007FCE54E17101h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007FCE54E170ECh
dec ecx
mov edx, 5E523070h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xdba00x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x16b10.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x120000x60c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b0000xd4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xcfb00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb0f00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb2300x428.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xda300x40.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x99f10xa000eb0e41586bb3c0a84ddc1662910fa50eFalse0.5134521484375data6.081603328695104IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb0000x39c80x40002071145b2c26ceb749e5e257ef66ac05False0.333740234375data4.000173769693527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xf0000x24000x2000a2bcbd23c6a04b5cf6238abf131cf113False0.019775390625data0.1828403109501297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x120000x60c0x10009beb52b5eb5484e041c11f625dec148bFalse0.20654296875PEX Binary Archive1.965541414957988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x130000x980x10005190fae5cf029155738e5f94440f22d7False0.02099609375data0.18389230938244008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x140000x16b100x170005f7ec24e69a4148b2a22f7a777b9bd25False0.6768851902173914data6.979424124819375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x2b0000xd40x10005ad45dc849b19e8ca4f861e8f686b2bfFalse0.035400390625data0.45489600687466425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x2aa400xd0dataEnglishUnited States0.5384615384615384
RT_ICON0x14ca80xb594PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9955468548317701
RT_ICON0x202400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.350909305621162
RT_ICON0x244680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.40051867219917014
RT_ICON0x26a100x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 0EnglishUnited States0.4353550295857988
RT_ICON0x284780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.4699812382739212
RT_ICON0x295200x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5426229508196722
RT_ICON0x29ea80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.6023255813953489
RT_ICON0x2a5600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7597517730496454
RT_GROUP_ICON0x2a9c80x76dataEnglishUnited States0.7542372881355932
RT_VERSION0x149300x374dataEnglishUnited States0.47171945701357465
RT_MANIFEST0x142d00x65aXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3966789667896679

Imports

DLLImport
ADVAPI32.dllGetTokenInformation, SetSecurityDescriptorGroup, MakeAbsoluteSD, MakeSelfRelativeSD, RegQueryValueExW, OpenThreadToken, AddAccessAllowedAce, GetSecurityDescriptorLength, GetLengthSid, StartServiceCtrlDispatcherW, RegOpenKeyExW, InitializeAcl, InitializeSecurityDescriptor, SetThreadToken, FreeSid, OpenProcessToken, RegSetValueExW, RegisterServiceCtrlHandlerW, RegCreateKeyExW, SetServiceStatus, AllocateAndInitializeSid, EqualSid, GetAce, SetSecurityDescriptorOwner, RegEnumKeyW, RegCloseKey, RevertToSelf, AdjustTokenPrivileges, SetSecurityDescriptorDacl, LookupPrivilegeValueW
KERNEL32.dllCompareStringW, SetLastError, EnterCriticalSection, GetCommandLineW, GetCurrentProcess, lstrlenW, GetStdHandle, WriteFile, GetModuleHandleExW, GetModuleFileNameW, LeaveCriticalSection, InitializeCriticalSection, GetEnvironmentVariableW, GetLocaleInfoW, WaitForSingleObject, OpenEventW, GetVersionExW, GetSystemDefaultLangID, GetACP, OpenProcess, GetVersion, SetProcessMitigationPolicy, CreateEventW, MultiByteToWideChar, Sleep, FormatMessageW, GetLastError, OutputDebugStringW, SetEvent, GetCurrentThread, GlobalAlloc, GlobalFree, CloseHandle, LoadLibraryW, CreateThread, SetCurrentDirectoryW, GetProcAddress, DeleteCriticalSection, ExitProcess, UnhandledExceptionFilter, GetModuleHandleW, FreeLibrary, WideCharToMultiByte, GetFileType, lstrcmpW, LoadLibraryExW, GetSystemDirectoryW, LoadLibraryExA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, DelayLoadFailureHook, GetStartupInfoW
USER32.dllMsgWaitForMultipleObjects, DispatchMessageW, PeekMessageW, IsCharAlphaNumericW, TranslateMessage, PostThreadMessageW, PostQuitMessage, GetMessageW
msvcrt.dll_XcptFilter, _amsg_exit, __getmainargs, __set_app_type, exit, _exit, _cexit, _ismbblead, __setusermatherr, _initterm, _acmdln, _fmode, _commode, _lock, _unlock, __dllonexit, _onexit, memcpy, memset, ?terminate@@YAXXZ, _vsnprintf, _wcsicmp, __C_specific_handler, _vsnwprintf
ntdll.dllRtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
ole32.dllCoUninitialize, CoRegisterClassObject, StgOpenStorage, CoRevokeClassObject, CoInitialize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:57:06
Start date:01/10/2024
Path:C:\Users\user\Desktop\msiexec.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\msiexec.exe"
Imagebase:0x7ff7e8910000
File size:176'128 bytes
MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:8.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:51.2%
    Total number of Nodes:1157
    Total number of Limit Nodes:16
    execution_graph 2774 7ff7e8919cb9 2777 7ff7e8919a5c 2774->2777 2778 7ff7e8919a6c 2777->2778 2779 7ff7e8919a7c Sleep 2778->2779 2780 7ff7e8919a8d 2778->2780 2779->2778 2781 7ff7e8919aae 2780->2781 2785 7ff7e891a1f0 memset 2780->2785 2782 7ff7e8919ae4 2781->2782 2783 7ff7e8919aca GetProcAddress 2781->2783 2783->2782 2792 7ff7e891a268 2785->2792 2788 7ff7e891a231 LoadLibraryExW 2789 7ff7e891a244 2788->2789 2800 7ff7e8911490 2789->2800 2793 7ff7e891a2be 2792->2793 2794 7ff7e891a28e 2792->2794 2808 7ff7e891a330 2793->2808 2794->2793 2795 7ff7e891a293 lstrlenW 2794->2795 2795->2793 2798 7ff7e891a2a4 2795->2798 2797 7ff7e891a22d 2797->2788 2797->2789 2798->2793 2798->2797 2799 7ff7e891a2c6 2799->2797 2801 7ff7e8911499 2800->2801 2802 7ff7e89114f0 RtlCaptureContext RtlLookupFunctionEntry 2801->2802 2803 7ff7e89114a4 2801->2803 2804 7ff7e8911577 2802->2804 2805 7ff7e8911535 RtlVirtualUnwind 2802->2805 2803->2781 2819 7ff7e89114b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2804->2819 2805->2804 2809 7ff7e891a350 2808->2809 2810 7ff7e891a3f3 GetSystemDirectoryW 2808->2810 2809->2810 2812 7ff7e891a35c LoadLibraryW 2809->2812 2811 7ff7e891a404 2810->2811 2811->2799 2812->2811 2813 7ff7e891a37b GetProcAddress 2812->2813 2814 7ff7e891a3a6 2813->2814 2815 7ff7e891a396 GetLastError 2813->2815 2817 7ff7e891a3d2 FreeLibrary SetLastError 2814->2817 2818 7ff7e891a3c4 GetLastError 2814->2818 2816 7ff7e891a3d0 2815->2816 2816->2817 2817->2811 2818->2816 2820 7ff7e89191bc StartServiceCtrlDispatcherW 2821 7ff7e89191fb GetLastError 2820->2821 2822 7ff7e8919215 2820->2822 2824 7ff7e8915934 GetLastError 2821->2824 2825 7ff7e8915981 2824->2825 2828 7ff7e8915a33 2824->2828 2846 7ff7e8914e70 2825->2846 2826 7ff7e8915b29 2829 7ff7e8915b8d SetLastError 2826->2829 2830 7ff7e8915b33 memset 2826->2830 2828->2826 2837 7ff7e8915a63 RegCreateKeyExW 2828->2837 2832 7ff7e8911490 7 API calls 2829->2832 2833 7ff7e8915b57 2830->2833 2834 7ff7e8915b6a 2830->2834 2836 7ff7e8915baa 2832->2836 2849 7ff7e89193d0 2833->2849 2839 7ff7e89193d0 _vsnwprintf 2834->2839 2836->2822 2837->2826 2843 7ff7e8915aaa RegSetValueExW lstrlenW RegSetValueExW RegCloseKey 2837->2843 2844 7ff7e8915b68 2839->2844 2843->2826 2844->2829 2845 7ff7e8915b7d OutputDebugStringW 2844->2845 2845->2829 2852 7ff7e8912090 2846->2852 2850 7ff7e8919403 _vsnwprintf 2849->2850 2851 7ff7e89193f4 2849->2851 2850->2851 2851->2844 2853 7ff7e8912099 RegOpenKeyExW 2852->2853 2854 7ff7e891223c 2859 7ff7e8913280 2854->2859 2857 7ff7e8911490 7 API calls 2858 7ff7e8912299 2857->2858 2860 7ff7e89132e1 2859->2860 2861 7ff7e891341c lstrlenW lstrlenW 2860->2861 2862 7ff7e89132fe lstrlenW lstrlenW lstrlenW lstrlenW 2860->2862 2864 7ff7e8918be4 2 API calls 2861->2864 2882 7ff7e8918be4 2862->2882 2869 7ff7e89133a1 2864->2869 2866 7ff7e8913382 2867 7ff7e8913389 GlobalFree 2866->2867 2868 7ff7e891339a 2866->2868 2867->2868 2872 7ff7e8911490 7 API calls 2868->2872 2870 7ff7e89133dd 2869->2870 2874 7ff7e891348a 2869->2874 2870->2868 2871 7ff7e89133e4 GlobalFree 2870->2871 2871->2868 2873 7ff7e891228c 2872->2873 2873->2857 2875 7ff7e89134b9 2874->2875 2887 7ff7e8912454 2874->2887 2877 7ff7e89134f2 2875->2877 2892 7ff7e8912754 2875->2892 2877->2868 2879 7ff7e8913503 GlobalFree 2877->2879 2879->2868 2880 7ff7e89134eb 2896 7ff7e89135d4 2880->2896 2883 7ff7e8918c01 GlobalAlloc 2882->2883 2885 7ff7e8918c1d 2882->2885 2883->2885 2884 7ff7e891337e 2884->2866 2884->2869 2885->2884 2886 7ff7e8918c58 GlobalFree 2885->2886 2886->2884 2890 7ff7e8912505 2887->2890 2891 7ff7e8912480 2887->2891 2888 7ff7e89124d1 lstrlenW lstrlenW 2915 7ff7e8918c88 2888->2915 2890->2875 2891->2888 2891->2890 2893 7ff7e8912770 2892->2893 2895 7ff7e8912799 2892->2895 2894 7ff7e89128b0 WideCharToMultiByte 2893->2894 2893->2895 2894->2895 2895->2880 2897 7ff7e8923068 2896->2897 2898 7ff7e891360f LoadLibraryExW 2897->2898 2899 7ff7e8913805 2898->2899 2900 7ff7e8913645 GetProcAddress 2898->2900 2902 7ff7e8911490 7 API calls 2899->2902 2901 7ff7e89137f6 FreeLibrary 2900->2901 2905 7ff7e8913667 2900->2905 2901->2899 2903 7ff7e8913815 2902->2903 2903->2877 2904 7ff7e891377c 2904->2901 2905->2904 2906 7ff7e89136aa GetSystemDefaultLangID 2905->2906 2907 7ff7e89136eb memset FormatMessageW 2906->2907 2908 7ff7e89136c2 2906->2908 2909 7ff7e8913731 2907->2909 2910 7ff7e8913783 2907->2910 2908->2904 2908->2907 2911 7ff7e891377e 2909->2911 2912 7ff7e8913742 WideCharToMultiByte 2909->2912 2925 7ff7e891935c 2910->2925 2920 7ff7e8911668 RtlCaptureContext RtlLookupFunctionEntry 2911->2920 2912->2904 2916 7ff7e8918caa GlobalAlloc 2915->2916 2918 7ff7e8918cc3 2915->2918 2916->2918 2917 7ff7e8918ccc 2917->2890 2918->2917 2919 7ff7e8918d03 GlobalFree 2918->2919 2919->2917 2921 7ff7e89116e7 2920->2921 2922 7ff7e89116a5 RtlVirtualUnwind 2920->2922 2928 7ff7e89114b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2921->2928 2922->2921 2926 7ff7e891938b _vsnprintf 2925->2926 2927 7ff7e891937c 2925->2927 2926->2927 2927->2904 2929 7ff7e891803c 2930 7ff7e891804c 2929->2930 2931 7ff7e8918084 2929->2931 2938 7ff7e8913544 GetModuleHandleExW 2930->2938 2933 7ff7e8915bc8 29 API calls 2931->2933 2935 7ff7e891809c 2933->2935 2937 7ff7e8918064 PostThreadMessageW 2937->2931 2939 7ff7e891356c GetProcAddress 2938->2939 2940 7ff7e89135c3 2938->2940 2941 7ff7e8913589 2939->2941 2942 7ff7e89135b2 FreeLibrary 2939->2942 2940->2931 2944 7ff7e8915bc8 EnterCriticalSection 2940->2944 2941->2942 2943 7ff7e891359d FreeLibrary 2941->2943 2942->2940 2943->2940 2945 7ff7e8915cab LeaveCriticalSection 2944->2945 2946 7ff7e8915c06 2944->2946 2945->2937 2947 7ff7e8915c1e SetServiceStatus 2946->2947 2948 7ff7e8913544 4 API calls 2946->2948 2950 7ff7e8915ca9 2947->2950 2951 7ff7e8915c8f GetLastError 2947->2951 2948->2947 2950->2945 2952 7ff7e8915934 21 API calls 2951->2952 2952->2950 2953 7ff7e89110be 2955 7ff7e89110d2 2953->2955 2960 7ff7e8911988 GetModuleHandleW 2955->2960 2956 7ff7e8911139 __set_app_type 2957 7ff7e8911176 2956->2957 2958 7ff7e891118c 2957->2958 2959 7ff7e891117f __setusermatherr 2957->2959 2959->2958 2961 7ff7e891199d 2960->2961 2961->2956 2962 7ff7e89157bf memset 2963 7ff7e8915804 2962->2963 2964 7ff7e891582b 2963->2964 2965 7ff7e891580d _wcsicmp 2963->2965 2966 7ff7e8911490 7 API calls 2964->2966 2965->2964 2967 7ff7e8915915 2966->2967 2968 7ff7e8914c3f 2969 7ff7e8914c4a 2968->2969 2970 7ff7e8914c53 2968->2970 2970->2969 2971 7ff7e8914c80 2970->2971 2972 7ff7e8914c72 PostQuitMessage 2970->2972 2973 7ff7e8915bc8 29 API calls 2971->2973 2972->2971 2973->2969 2974 7ff7e8911cc3 2976 7ff7e8911c32 2974->2976 2975 7ff7e891a560 10 API calls 2975->2976 2976->2974 2976->2975 2977 7ff7e891a847 _unlock 2978 7ff7e8918dcc 3010 7ff7e8918ae4 2978->3010 2981 7ff7e8918ae4 2 API calls 2986 7ff7e8918e4d 2981->2986 2982 7ff7e891911e GlobalFree 2983 7ff7e891912f 2982->2983 2984 7ff7e891915a 2983->2984 2985 7ff7e8919146 GlobalFree 2983->2985 2987 7ff7e8911490 7 API calls 2984->2987 2985->2984 2989 7ff7e8918ae4 2 API calls 2986->2989 2993 7ff7e8919107 2986->2993 2988 7ff7e891916f 2987->2988 2990 7ff7e8918ea6 2989->2990 2991 7ff7e8918eae GetModuleFileNameW 2990->2991 2992 7ff7e89190d9 2990->2992 2991->2992 2995 7ff7e8918ed1 2991->2995 2992->2993 2994 7ff7e89190f6 GlobalFree 2992->2994 2993->2982 2993->2983 2994->2993 3015 7ff7e8919f19 2995->3015 2997 7ff7e8918f67 2999 7ff7e8918f91 2997->2999 3000 7ff7e8918f85 GlobalFree 2997->3000 3006 7ff7e891907b 2997->3006 2998 7ff7e8918f3f GlobalAlloc 2998->2997 3020 7ff7e8919e9f 2999->3020 3025 7ff7e8919e99 2999->3025 3000->2999 3001 7ff7e89190cd GlobalFree 3001->2992 3002 7ff7e89193d0 _vsnwprintf 3003 7ff7e8919058 3002->3003 3005 7ff7e89193d0 _vsnwprintf 3003->3005 3003->3006 3004 7ff7e8918fcc 3004->3002 3004->3006 3005->3006 3006->2992 3006->3001 3011 7ff7e8918afe GlobalAlloc 3010->3011 3012 7ff7e8918b1e 3010->3012 3011->3012 3013 7ff7e8918b2a 3012->3013 3014 7ff7e8918b33 GlobalFree 3012->3014 3013->2981 3013->2993 3014->3013 3031 7ff7e8919b04 3015->3031 3018 7ff7e8918efe 3018->2992 3018->2997 3018->2998 3019 7ff7e8919f4b GetFileVersionInfoSizeExW 3019->3018 3021 7ff7e8919ed2 3020->3021 3022 7ff7e8919b04 19 API calls 3020->3022 3023 7ff7e8919eda GetFileVersionInfoW 3021->3023 3024 7ff7e8919eff 3021->3024 3022->3021 3023->3024 3024->3004 3026 7ff7e8919ea0 3025->3026 3027 7ff7e8919b04 19 API calls 3026->3027 3028 7ff7e8919ed2 3027->3028 3029 7ff7e8919eda GetFileVersionInfoW 3028->3029 3030 7ff7e8919eff 3028->3030 3029->3030 3030->3004 3032 7ff7e8919b14 3031->3032 3033 7ff7e8919b24 Sleep 3032->3033 3034 7ff7e8919b35 3032->3034 3033->3032 3035 7ff7e8919b56 3034->3035 3039 7ff7e891a1f0 17 API calls 3034->3039 3036 7ff7e8919b8f 3035->3036 3037 7ff7e8919b72 GetProcAddress 3035->3037 3036->3018 3036->3019 3037->3036 3038 7ff7e8919b8c 3037->3038 3038->3036 3039->3035 3043 7ff7e891119b __getmainargs 3044 7ff7e891819b 3045 7ff7e8915bc8 29 API calls 3044->3045 3046 7ff7e89181f6 3045->3046 3047 7ff7e89181fa 3046->3047 3048 7ff7e8918201 RegOpenKeyExW 3046->3048 3051 7ff7e8911490 7 API calls 3047->3051 3049 7ff7e8918241 3048->3049 3050 7ff7e8918231 RegCloseKey 3048->3050 3168 7ff7e8918d38 GetEnvironmentVariableW 3049->3168 3050->3049 3052 7ff7e8918a74 3051->3052 3059 7ff7e89182a8 3280 7ff7e8911e44 3059->3280 3060 7ff7e8918291 3060->3047 3061 7ff7e8918295 CoUninitialize 3060->3061 3061->3047 3064 7ff7e8911e44 2 API calls 3065 7ff7e89182d8 3064->3065 3066 7ff7e8911e44 2 API calls 3065->3066 3067 7ff7e89182e8 3066->3067 3068 7ff7e8911e44 2 API calls 3067->3068 3069 7ff7e89182f8 3068->3069 3070 7ff7e8911e44 2 API calls 3069->3070 3071 7ff7e8918308 3070->3071 3072 7ff7e8918a12 3071->3072 3078 7ff7e8918355 MakeAbsoluteSD 3071->3078 3073 7ff7e8918a27 3072->3073 3074 7ff7e8918a1b CoUninitialize 3072->3074 3075 7ff7e8911f68 GlobalFree 3073->3075 3074->3073 3076 7ff7e8918a33 3075->3076 3077 7ff7e8911f68 GlobalFree 3076->3077 3079 7ff7e8918a3f 3077->3079 3080 7ff7e89183a7 3078->3080 3081 7ff7e89183ca 3078->3081 3082 7ff7e8911f68 GlobalFree 3079->3082 3083 7ff7e89183b7 GetLastError 3080->3083 3084 7ff7e89183ab CoUninitialize 3080->3084 3087 7ff7e891840b 3081->3087 3103 7ff7e891842f 3081->3103 3085 7ff7e8918a4b 3082->3085 3086 7ff7e8918556 3083->3086 3084->3083 3089 7ff7e8911f68 GlobalFree 3085->3089 3288 7ff7e8911f68 3086->3288 3090 7ff7e8915934 21 API calls 3087->3090 3093 7ff7e8918a57 3089->3093 3094 7ff7e8918419 GetLastError 3090->3094 3092 7ff7e89184ed 3096 7ff7e8915bc8 29 API calls 3092->3096 3097 7ff7e8911f68 GlobalFree 3093->3097 3098 7ff7e891853b 3094->3098 3095 7ff7e8911f68 GlobalFree 3099 7ff7e8918571 3095->3099 3100 7ff7e89184fb 3096->3100 3097->3047 3105 7ff7e8915bc8 29 API calls 3098->3105 3101 7ff7e8911f68 GlobalFree 3099->3101 3102 7ff7e8918496 3100->3102 3284 7ff7e8913e9c 3100->3284 3106 7ff7e891857d 3101->3106 3102->3086 3108 7ff7e891854a CoUninitialize 3102->3108 3103->3092 3104 7ff7e891847b 3103->3104 3111 7ff7e8915934 21 API calls 3104->3111 3105->3102 3109 7ff7e8911f68 GlobalFree 3106->3109 3108->3086 3112 7ff7e8918589 3109->3112 3114 7ff7e8918489 3111->3114 3115 7ff7e8911f68 GlobalFree 3112->3115 3113 7ff7e8918597 InitializeCriticalSection CreateEventW CreateEventW 3118 7ff7e891861a 3113->3118 3119 7ff7e89188af GetLastError 3113->3119 3117 7ff7e8915bc8 29 API calls 3114->3117 3121 7ff7e8918592 3115->3121 3116 7ff7e8915934 21 API calls 3122 7ff7e891852d GetLastError 3116->3122 3117->3102 3118->3119 3123 7ff7e8918623 3118->3123 3120 7ff7e8918721 3119->3120 3124 7ff7e8915934 21 API calls 3120->3124 3121->3113 3122->3098 3126 7ff7e8918667 3123->3126 3127 7ff7e891864f GetLastError 3123->3127 3125 7ff7e89188c9 GetLastError 3124->3125 3128 7ff7e8915bc8 29 API calls 3125->3128 3130 7ff7e8918699 GetLastError 3126->3130 3143 7ff7e89186b1 3126->3143 3127->3120 3129 7ff7e89188e2 3128->3129 3131 7ff7e89188ee EnterCriticalSection CloseHandle LeaveCriticalSection 3129->3131 3132 7ff7e8918926 3129->3132 3130->3120 3131->3132 3133 7ff7e8918967 3132->3133 3134 7ff7e891892f EnterCriticalSection CloseHandle LeaveCriticalSection 3132->3134 3136 7ff7e89189a8 3133->3136 3137 7ff7e8918970 EnterCriticalSection CloseHandle LeaveCriticalSection 3133->3137 3134->3133 3135 7ff7e891872d 3138 7ff7e8915bc8 29 API calls 3135->3138 3140 7ff7e89189b8 3136->3140 3141 7ff7e89189ac CoUninitialize 3136->3141 3137->3136 3159 7ff7e8918739 3138->3159 3139 7ff7e8915bc8 29 API calls 3139->3143 3142 7ff7e89189ca DeleteCriticalSection 3140->3142 3144 7ff7e8915bc8 29 API calls 3140->3144 3141->3140 3145 7ff7e8911f68 GlobalFree 3142->3145 3143->3129 3143->3135 3143->3139 3146 7ff7e89186d1 CoRegisterClassObject 3143->3146 3144->3142 3147 7ff7e89189e5 3145->3147 3146->3120 3146->3143 3149 7ff7e8911f68 GlobalFree 3147->3149 3148 7ff7e891878f MsgWaitForMultipleObjects 3151 7ff7e89187fc PeekMessageW 3148->3151 3148->3159 3150 7ff7e89189f1 3149->3150 3153 7ff7e8911f68 GlobalFree 3150->3153 3152 7ff7e89187dc TranslateMessage DispatchMessageW 3151->3152 3151->3159 3152->3151 3155 7ff7e89189fd 3153->3155 3154 7ff7e891886e 3160 7ff7e8915bc8 29 API calls 3154->3160 3158 7ff7e8911f68 GlobalFree 3155->3158 3156 7ff7e8913544 GetModuleHandleExW GetProcAddress FreeLibrary FreeLibrary 3156->3159 3157 7ff7e891887b PostThreadMessageW 3157->3129 3161 7ff7e89188a1 CoRevokeClassObject 3157->3161 3164 7ff7e8918a09 3158->3164 3159->3129 3159->3148 3159->3154 3159->3156 3159->3157 3162 7ff7e8915bc8 29 API calls 3159->3162 3163 7ff7e8918846 GetLastError GetLastError 3159->3163 3160->3157 3161->3129 3162->3159 3165 7ff7e8915934 21 API calls 3163->3165 3166 7ff7e8911f68 GlobalFree 3164->3166 3167 7ff7e891886c 3165->3167 3166->3072 3167->3157 3170 7ff7e8918d73 3168->3170 3169 7ff7e8911490 7 API calls 3171 7ff7e8918263 3169->3171 3170->3169 3172 7ff7e8915530 3171->3172 3173 7ff7e891553f 3172->3173 3174 7ff7e891554b Sleep 3173->3174 3175 7ff7e891555e 3173->3175 3174->3173 3176 7ff7e8915567 memset 3175->3176 3177 7ff7e891557f 3175->3177 3176->3177 3178 7ff7e89155b8 3177->3178 3292 7ff7e89120bc GetCurrentThread OpenThreadToken 3177->3292 3180 7ff7e8913f08 3178->3180 3181 7ff7e8913f5b 3180->3181 3182 7ff7e8913f8f 3181->3182 3183 7ff7e8914605 3181->3183 3184 7ff7e8913f98 3182->3184 3185 7ff7e891451e 3182->3185 3186 7ff7e8912050 FreeSid 3183->3186 3188 7ff7e89143db 3184->3188 3189 7ff7e8913fa1 3184->3189 3187 7ff7e8912050 FreeSid 3185->3187 3190 7ff7e8914611 AllocateAndInitializeSid 3186->3190 3191 7ff7e891452a AllocateAndInitializeSid 3187->3191 3192 7ff7e8912050 FreeSid 3188->3192 3193 7ff7e8913faa 3189->3193 3194 7ff7e89142f0 3189->3194 3195 7ff7e8914a33 GetLastError 3190->3195 3196 7ff7e8914656 3190->3196 3198 7ff7e89145da GetLastError 3191->3198 3199 7ff7e891456b 3191->3199 3200 7ff7e89143e7 AllocateAndInitializeSid 3192->3200 3202 7ff7e89141bc 3193->3202 3203 7ff7e8913fb3 3193->3203 3201 7ff7e8912050 FreeSid 3194->3201 3211 7ff7e89141a6 3195->3211 3197 7ff7e8912050 FreeSid 3196->3197 3205 7ff7e8914662 AllocateAndInitializeSid 3197->3205 3198->3211 3206 7ff7e8912050 FreeSid 3199->3206 3207 7ff7e891442c 3200->3207 3208 7ff7e89144f3 GetLastError 3200->3208 3209 7ff7e89142fc AllocateAndInitializeSid 3201->3209 3210 7ff7e8912050 FreeSid 3202->3210 3204 7ff7e8913fb8 3203->3204 3302 7ff7e8912050 3203->3302 3212 7ff7e8914752 memset 3204->3212 3205->3195 3214 7ff7e89146a6 3205->3214 3215 7ff7e8914577 AllocateAndInitializeSid 3206->3215 3216 7ff7e8912050 FreeSid 3207->3216 3208->3211 3217 7ff7e891433d 3209->3217 3218 7ff7e89143b0 GetLastError 3209->3218 3219 7ff7e89141c8 AllocateAndInitializeSid 3210->3219 3240 7ff7e8911490 7 API calls 3211->3240 3226 7ff7e8914777 GlobalAlloc 3212->3226 3227 7ff7e89147c8 InitializeAcl 3212->3227 3221 7ff7e8912050 FreeSid 3214->3221 3215->3198 3249 7ff7e891415c 3215->3249 3222 7ff7e8914438 AllocateAndInitializeSid 3216->3222 3223 7ff7e8912050 FreeSid 3217->3223 3218->3211 3224 7ff7e891420c 3219->3224 3225 7ff7e89142c5 GetLastError 3219->3225 3228 7ff7e89146b2 AllocateAndInitializeSid 3221->3228 3222->3208 3229 7ff7e891447e 3222->3229 3235 7ff7e8914349 AllocateAndInitializeSid 3223->3235 3230 7ff7e8912050 FreeSid 3224->3230 3225->3211 3226->3227 3231 7ff7e891479e 3226->3231 3234 7ff7e89147e3 GetLastError 3227->3234 3261 7ff7e8914818 3227->3261 3228->3195 3228->3249 3236 7ff7e8912050 FreeSid 3229->3236 3238 7ff7e8914218 AllocateAndInitializeSid 3230->3238 3239 7ff7e8911f68 GlobalFree 3231->3239 3232 7ff7e8914017 3241 7ff7e8912050 FreeSid 3232->3241 3233 7ff7e8914191 GetLastError 3233->3211 3242 7ff7e8911f68 GlobalFree 3234->3242 3235->3218 3235->3249 3243 7ff7e891448a AllocateAndInitializeSid 3236->3243 3237 7ff7e8914732 GetLengthSid 3237->3212 3237->3237 3238->3225 3244 7ff7e8914259 3238->3244 3239->3211 3245 7ff7e8914a6a 3240->3245 3246 7ff7e8914023 AllocateAndInitializeSid 3241->3246 3242->3211 3243->3208 3243->3249 3250 7ff7e8912050 FreeSid 3244->3250 3245->3059 3245->3060 3246->3233 3253 7ff7e8914068 3246->3253 3247 7ff7e89148e7 InitializeSecurityDescriptor 3251 7ff7e8914a01 GetLastError 3247->3251 3252 7ff7e8914905 SetSecurityDescriptorDacl 3247->3252 3248 7ff7e891482a AddAccessAllowedAce 3254 7ff7e891484c GetAce 3248->3254 3255 7ff7e89148b2 GetLastError 3248->3255 3249->3237 3258 7ff7e8914265 AllocateAndInitializeSid 3250->3258 3256 7ff7e8911f68 GlobalFree 3251->3256 3252->3251 3259 7ff7e8914929 SetSecurityDescriptorOwner 3252->3259 3260 7ff7e8912050 FreeSid 3253->3260 3254->3261 3262 7ff7e891487d GetLastError 3254->3262 3257 7ff7e8911f68 GlobalFree 3255->3257 3256->3211 3257->3211 3258->3225 3258->3249 3259->3251 3264 7ff7e8914948 3259->3264 3265 7ff7e8914074 AllocateAndInitializeSid 3260->3265 3261->3247 3261->3248 3263 7ff7e8911f68 GlobalFree 3262->3263 3263->3211 3266 7ff7e891496c GetSecurityDescriptorLength 3264->3266 3267 7ff7e891494d SetSecurityDescriptorGroup 3264->3267 3265->3233 3268 7ff7e89140be 3265->3268 3269 7ff7e8914987 3266->3269 3270 7ff7e89149b1 MakeSelfRelativeSD 3266->3270 3267->3251 3267->3266 3271 7ff7e8912050 FreeSid 3268->3271 3272 7ff7e8911f68 GlobalFree 3269->3272 3273 7ff7e89149cb 3270->3273 3274 7ff7e89149cf GetLastError 3270->3274 3275 7ff7e89140ca AllocateAndInitializeSid 3271->3275 3272->3211 3278 7ff7e8911f68 GlobalFree 3273->3278 3274->3273 3275->3233 3276 7ff7e891410f 3275->3276 3277 7ff7e8912050 FreeSid 3276->3277 3279 7ff7e891411b AllocateAndInitializeSid 3277->3279 3278->3211 3279->3233 3279->3249 3281 7ff7e8911e7d memset 3280->3281 3282 7ff7e8911e5f GlobalAlloc 3280->3282 3283 7ff7e8911e78 3281->3283 3282->3283 3283->3064 3285 7ff7e8913ec1 3284->3285 3286 7ff7e8913ed7 3284->3286 3287 7ff7e8913f08 50 API calls 3285->3287 3286->3113 3286->3116 3287->3286 3289 7ff7e8911f7d 3288->3289 3290 7ff7e8911f75 3288->3290 3289->3095 3305 7ff7e891202c 3290->3305 3293 7ff7e8912127 GetLastError 3292->3293 3294 7ff7e8912160 3292->3294 3295 7ff7e891213a GetCurrentProcess OpenProcessToken 3293->3295 3296 7ff7e89121b3 3293->3296 3297 7ff7e89121b7 AdjustTokenPrivileges CloseHandle GetLastError 3294->3297 3298 7ff7e891216b LookupPrivilegeValueW 3294->3298 3295->3294 3295->3296 3300 7ff7e8911490 7 API calls 3296->3300 3297->3296 3298->3294 3299 7ff7e89121a2 CloseHandle 3298->3299 3299->3296 3301 7ff7e8912212 3300->3301 3301->3178 3303 7ff7e891206d AllocateAndInitializeSid 3302->3303 3304 7ff7e8912061 FreeSid 3302->3304 3303->3232 3303->3233 3304->3303 3306 7ff7e8912041 3305->3306 3307 7ff7e8912035 GlobalFree 3305->3307 3306->3289 3307->3306 3308 7ff7e891a91b DeleteCriticalSection 2706 7ff7e8911d1d 2707 7ff7e8911c32 2706->2707 2709 7ff7e891a560 2707->2709 2723 7ff7e891a4b0 2709->2723 2712 7ff7e891a5bb LdrResolveDelayLoadedAPI 2714 7ff7e891a6ce 2712->2714 2713 7ff7e891a5f5 2715 7ff7e891a6a7 GetProcAddress 2713->2715 2716 7ff7e891a624 LoadLibraryExA 2713->2716 2714->2707 2717 7ff7e891a6b7 2715->2717 2718 7ff7e891a6bc DelayLoadFailureHook 2715->2718 2716->2718 2719 7ff7e891a640 2716->2719 2717->2714 2718->2714 2720 7ff7e891a69c FreeLibrary 2719->2720 2721 7ff7e891a654 memset 2719->2721 2720->2715 2721->2715 2722 7ff7e891a682 2721->2722 2722->2715 2724 7ff7e891a4cf 2723->2724 2725 7ff7e891a4cb 2723->2725 2724->2725 2726 7ff7e891a4d9 GetModuleHandleW 2724->2726 2725->2712 2725->2713 2727 7ff7e891a4ed GetModuleHandleW 2726->2727 2728 7ff7e891a506 GetProcAddress 2726->2728 2727->2728 2729 7ff7e891a501 2727->2729 2728->2729 2730 7ff7e891a521 GetProcAddress 2728->2730 2729->2725 2730->2729 3312 7ff7e89197a0 3313 7ff7e89197c6 3312->3313 3314 7ff7e89197a6 3312->3314 3315 7ff7e89197f0 SetProcessMitigationPolicy 3313->3315 3320 7ff7e8919fe0 3 API calls 3313->3320 3321 7ff7e8916068 3315->3321 3320->3315 3614 7ff7e891a7d0 3321->3614 3324 7ff7e89160ec GetCommandLineW 3326 7ff7e8916133 GetStdHandle 3324->3326 3325 7ff7e89160de 3325->3324 3328 7ff7e8916172 GetFileType 3326->3328 3329 7ff7e8916186 3326->3329 3328->3329 3330 7ff7e891618d memset memset 3328->3330 3329->3330 3332 7ff7e89161c8 3330->3332 3331 7ff7e89163ad 3334 7ff7e89163e2 3331->3334 3335 7ff7e89163c3 3331->3335 3332->3331 3333 7ff7e891620a 3332->3333 3616 7ff7e89152dc 3333->3616 3338 7ff7e8918b64 2 API calls 3334->3338 3336 7ff7e89163d9 3335->3336 3337 7ff7e89163c9 GlobalFree 3335->3337 3343 7ff7e89163a6 3336->3343 3344 7ff7e89168cb GlobalFree 3336->3344 3337->3336 3339 7ff7e89163f1 3338->3339 3341 7ff7e8916437 3339->3341 3342 7ff7e89163f5 3339->3342 3341->3335 3371 7ff7e891661e 3341->3371 3346 7ff7e891640b 3342->3346 3347 7ff7e89163fb GlobalFree 3342->3347 3351 7ff7e8911490 7 API calls 3343->3351 3344->3343 3345 7ff7e891623e 3348 7ff7e8916242 3345->3348 3350 7ff7e8914e70 RegOpenKeyExW 3345->3350 3346->3343 3349 7ff7e891641d GlobalFree 3346->3349 3347->3346 3626 7ff7e8918dd0 3348->3626 3349->3343 3354 7ff7e891628f 3350->3354 3355 7ff7e8916d6a 3351->3355 3358 7ff7e8916297 RegQueryValueExW 3354->3358 3359 7ff7e891636e 3354->3359 3608 7ff7e891a41c 3355->3608 3356 7ff7e8916261 3356->3343 3364 7ff7e8916dd1 GlobalFree 3356->3364 3357 7ff7e8916251 GlobalFree 3357->3356 3362 7ff7e89162d0 3358->3362 3363 7ff7e8916325 RegCloseKey 3358->3363 3360 7ff7e8916384 3359->3360 3361 7ff7e8916374 GlobalFree 3359->3361 3360->3343 3365 7ff7e8916396 GlobalFree 3360->3365 3361->3360 3658 7ff7e8918b64 3362->3658 3363->3359 3367 7ff7e8916339 3363->3367 3364->3343 3365->3343 3367->3359 3440 7ff7e891633f 3367->3440 3369 7ff7e89162f7 RegQueryValueExW 3369->3363 3370 7ff7e89162e6 RegCloseKey 3370->3342 3372 7ff7e8916672 CompareStringW 3371->3372 3373 7ff7e89166a8 CompareStringW 3371->3373 3410 7ff7e89166f1 3371->3410 3372->3371 3372->3410 3373->3371 3373->3410 3374 7ff7e8916deb 3376 7ff7e8916df7 3374->3376 3377 7ff7e8916f41 3374->3377 3375 7ff7e891688a 3382 7ff7e89168a4 3375->3382 3417 7ff7e89168e5 3375->3417 3378 7ff7e8916e13 3376->3378 3387 7ff7e8914a8c 3 API calls 3376->3387 3379 7ff7e8914a8c 3 API calls 3377->3379 3394 7ff7e8916f20 3378->3394 3418 7ff7e8916e7d 3378->3418 3383 7ff7e8916f46 3379->3383 3380 7ff7e8916998 memset 3667 7ff7e8914eb4 3380->3667 3385 7ff7e89168b9 3382->3385 3386 7ff7e89168aa GlobalFree 3382->3386 3389 7ff7e8916f4f 3383->3389 3390 7ff7e8916e81 3383->3390 3384 7ff7e8916795 CompareStringW 3384->3410 3385->3336 3386->3385 3387->3378 3392 7ff7e8918dd0 32 API calls 3389->3392 3398 7ff7e8916d17 3390->3398 3413 7ff7e8916fab CoInitialize 3390->3413 3429 7ff7e8916f8e 3390->3429 3391 7ff7e8916cf8 3399 7ff7e8918dd0 32 API calls 3391->3399 3392->3398 3393 7ff7e8916a4f 3400 7ff7e8918dd0 32 API calls 3393->3400 3396 7ff7e8916d30 3394->3396 3397 7ff7e8916f29 GlobalFree 3394->3397 3396->3343 3411 7ff7e8916d49 GlobalFree 3396->3411 3397->3396 3398->3396 3406 7ff7e8916d20 GlobalFree 3398->3406 3404 7ff7e8916d01 3399->3404 3405 7ff7e8916a58 3400->3405 3401 7ff7e8916846 3402 7ff7e8916861 3401->3402 3403 7ff7e8916851 GlobalFree 3401->3403 3407 7ff7e8916883 3402->3407 3408 7ff7e8916873 GlobalFree 3402->3408 3403->3402 3409 7ff7e8911f8c GlobalFree 3404->3409 3685 7ff7e8914a8c GetVersion 3405->3685 3406->3396 3407->3343 3408->3407 3409->3405 3410->3375 3410->3384 3410->3401 3663 7ff7e8912554 3410->3663 3411->3343 3415 7ff7e891a1f0 17 API calls 3413->3415 3415->3429 3416 7ff7e8916aa9 lstrlenW 3419 7ff7e8918ae4 2 API calls 3416->3419 3417->3391 3417->3440 3677 7ff7e8915320 3417->3677 3681 7ff7e8911f8c 3417->3681 3418->3390 3420 7ff7e8916eec 3418->3420 3419->3440 3691 7ff7e8912f1c memset 3420->3691 3421 7ff7e8917f99 GetMessageW 3425 7ff7e8917fcf TranslateMessage DispatchMessageW 3421->3425 3426 7ff7e8917fb5 3421->3426 3422 7ff7e8917022 3422->3421 3430 7ff7e89170bd 3422->3430 3456 7ff7e8917106 3422->3456 3425->3421 3426->3425 3428 7ff7e8917eef 3426->3428 3427 7ff7e8916fd9 CoRegisterClassObject 3427->3422 3427->3429 3431 7ff7e8917f14 CoUninitialize 3428->3431 3433 7ff7e8917f08 CoRevokeClassObject 3428->3433 3429->3422 3429->3427 3435 7ff7e8915934 21 API calls 3430->3435 3431->3398 3432 7ff7e8917f29 3431->3432 3434 7ff7e8912f1c 26 API calls 3432->3434 3433->3431 3438 7ff7e8917f33 3434->3438 3439 7ff7e89170ce 3435->3439 3436 7ff7e89152dc memcpy memcpy memcpy memcpy 3436->3440 3437 7ff7e8917130 GetCurrentThread OpenThreadToken 3443 7ff7e89172b0 3437->3443 3444 7ff7e8917261 GetLastError 3437->3444 3442 7ff7e8917f3c GlobalFree 3438->3442 3484 7ff7e8917219 3438->3484 3445 7ff7e89170d7 GlobalFree 3439->3445 3447 7ff7e89170e7 3439->3447 3440->3348 3440->3374 3440->3380 3440->3393 3440->3405 3440->3416 3440->3436 3446 7ff7e8916d96 3440->3446 3442->3484 3449 7ff7e89172c1 RegCloseKey RegEnumKeyW 3443->3449 3450 7ff7e89172b5 RevertToSelf 3443->3450 3444->3443 3448 7ff7e891727c 3444->3448 3445->3447 3451 7ff7e8918dd0 32 API calls 3446->3451 3447->3343 3459 7ff7e8917f65 GlobalFree 3447->3459 3453 7ff7e8915934 21 API calls 3448->3453 3454 7ff7e89172ff GetCurrentProcess OpenProcessToken 3449->3454 3455 7ff7e89172f3 RevertToSelf 3449->3455 3450->3449 3452 7ff7e8916d9f 3451->3452 3452->3356 3457 7ff7e8916da8 GlobalFree 3452->3457 3458 7ff7e891728a 3453->3458 3460 7ff7e89173e7 GetLastError memset 3454->3460 3461 7ff7e891733b 3454->3461 3455->3454 3456->3437 3462 7ff7e89171a3 OpenEventW 3456->3462 3457->3356 3458->3447 3465 7ff7e8917293 GlobalFree 3458->3465 3459->3343 3467 7ff7e89193d0 _vsnwprintf 3460->3467 3714 7ff7e89138c8 3461->3714 3463 7ff7e89171cb WaitForSingleObject CloseHandle 3462->3463 3464 7ff7e8917f7f GetLastError 3462->3464 3463->3437 3468 7ff7e89171f2 3463->3468 3464->3421 3465->3447 3470 7ff7e8917428 3467->3470 3471 7ff7e8915934 21 API calls 3468->3471 3476 7ff7e891746e 3470->3476 3479 7ff7e8917436 3470->3479 3474 7ff7e8917200 3471->3474 3472 7ff7e891734d GetTokenInformation 3473 7ff7e89173cf CloseHandle 3472->3473 3475 7ff7e891737e EqualSid 3472->3475 3473->3470 3477 7ff7e8917209 GlobalFree 3474->3477 3474->3484 3478 7ff7e891739a 3475->3478 3480 7ff7e8915934 21 API calls 3476->3480 3477->3484 3478->3473 3482 7ff7e891745e 3479->3482 3483 7ff7e89174b5 3479->3483 3481 7ff7e891747f 3480->3481 3481->3484 3485 7ff7e8917485 GlobalFree 3481->3485 3487 7ff7e8913f08 50 API calls 3482->3487 3486 7ff7e8915934 21 API calls 3483->3486 3484->3447 3485->3484 3488 7ff7e89174c6 3486->3488 3489 7ff7e8917540 3487->3489 3488->3484 3491 7ff7e89174cc GlobalFree 3488->3491 3490 7ff7e8917583 3489->3490 3492 7ff7e891755f 3489->3492 3493 7ff7e8917553 CloseHandle 3489->3493 3726 7ff7e8911de4 3490->3726 3491->3484 3495 7ff7e8915934 21 API calls 3492->3495 3493->3492 3497 7ff7e891756d 3495->3497 3497->3490 3499 7ff7e8917573 GlobalFree 3497->3499 3498 7ff7e8911de4 2 API calls 3500 7ff7e89175bd 3498->3500 3499->3490 3501 7ff7e8911de4 2 API calls 3500->3501 3502 7ff7e89175cc 3501->3502 3503 7ff7e8911de4 2 API calls 3502->3503 3504 7ff7e89175db 3503->3504 3505 7ff7e8911de4 2 API calls 3504->3505 3506 7ff7e89175ea MakeAbsoluteSD 3505->3506 3507 7ff7e891765b GetLastError 3506->3507 3508 7ff7e89176cc 3506->3508 3509 7ff7e8917682 3507->3509 3510 7ff7e8917676 CloseHandle 3507->3510 3512 7ff7e8917782 CreateEventW 3508->3512 3514 7ff7e8917727 CloseHandle 3508->3514 3551 7ff7e8917733 3508->3551 3511 7ff7e8915934 21 API calls 3509->3511 3510->3509 3513 7ff7e8917690 3511->3513 3515 7ff7e89177d4 CreateEventW 3512->3515 3512->3551 3730 7ff7e8911f44 3513->3730 3514->3551 3520 7ff7e891788f 3515->3520 3521 7ff7e89177f6 3515->3521 3517 7ff7e89177ba GetLastError 3517->3551 3518 7ff7e89177ae CloseHandle 3518->3517 3734 7ff7e8912c84 3520->3734 3525 7ff7e891780f GetLastError 3521->3525 3526 7ff7e8917803 CloseHandle 3521->3526 3522 7ff7e8915934 21 API calls 3522->3551 3524 7ff7e8911f44 GlobalFree 3528 7ff7e89176a8 3524->3528 3529 7ff7e8915934 21 API calls 3525->3529 3526->3525 3532 7ff7e8911f44 GlobalFree 3528->3532 3552 7ff7e8917829 3529->3552 3530 7ff7e89178fe 3743 7ff7e8912a08 3530->3743 3531 7ff7e89178b0 3534 7ff7e89178c9 3531->3534 3535 7ff7e89178bd CloseHandle 3531->3535 3537 7ff7e89176b4 3532->3537 3533 7ff7e8911f44 GlobalFree 3538 7ff7e8917835 3533->3538 3542 7ff7e8915934 21 API calls 3534->3542 3535->3534 3540 7ff7e8911f44 GlobalFree 3537->3540 3541 7ff7e8911f44 GlobalFree 3538->3541 3544 7ff7e89176c0 3540->3544 3547 7ff7e8917841 3541->3547 3542->3552 3543 7ff7e8917913 3543->3534 3545 7ff7e8917920 CloseHandle 3543->3545 3546 7ff7e8911f44 GlobalFree 3544->3546 3545->3534 3546->3508 3548 7ff7e8911f44 GlobalFree 3547->3548 3549 7ff7e891784d 3548->3549 3550 7ff7e8911f44 GlobalFree 3549->3550 3553 7ff7e8917859 3550->3553 3551->3512 3551->3517 3551->3518 3551->3522 3554 7ff7e8911f44 GlobalFree 3551->3554 3552->3533 3555 7ff7e8911f44 GlobalFree 3553->3555 3554->3551 3556 7ff7e8917865 3555->3556 3556->3484 3557 7ff7e891786e GlobalFree 3556->3557 3557->3484 3558 7ff7e8917935 3559 7ff7e8917aa6 OpenProcess 3558->3559 3560 7ff7e8917a29 CloseHandle 3558->3560 3571 7ff7e8917a35 3558->3571 3559->3571 3560->3571 3561 7ff7e8917ade GetLastError 3561->3571 3562 7ff7e8917ad2 CloseHandle 3562->3561 3563 7ff7e8915934 21 API calls 3563->3571 3564 7ff7e8917b27 CloseHandle 3564->3571 3565 7ff7e8917b3f 3566 7ff7e8917c3a CloseHandle 3565->3566 3567 7ff7e8917c4e 3565->3567 3566->3567 3568 7ff7e8917c56 3567->3568 3586 7ff7e8917cec 3567->3586 3570 7ff7e8915934 21 API calls 3568->3570 3569 7ff7e8911f44 GlobalFree 3569->3571 3572 7ff7e8917c67 3570->3572 3571->3559 3571->3561 3571->3562 3571->3563 3571->3564 3571->3565 3571->3569 3573 7ff7e8911f44 GlobalFree 3572->3573 3576 7ff7e8917c92 3573->3576 3574 7ff7e8917d45 MsgWaitForMultipleObjects 3575 7ff7e8917e85 CloseHandle 3574->3575 3574->3586 3584 7ff7e8911f44 GlobalFree 3575->3584 3578 7ff7e8911f44 GlobalFree 3576->3578 3577 7ff7e8917e76 CloseHandle 3577->3575 3580 7ff7e8917c9e 3578->3580 3579 7ff7e8917d85 CloseHandle 3585 7ff7e8917dbc OpenProcess 3579->3585 3583 7ff7e8911f44 GlobalFree 3580->3583 3582 7ff7e8917df1 PeekMessageW 3582->3574 3582->3586 3587 7ff7e8917caa 3583->3587 3588 7ff7e8917ebb 3584->3588 3585->3586 3589 7ff7e8917e3e 3585->3589 3586->3574 3586->3575 3586->3577 3586->3579 3586->3582 3590 7ff7e8917e1c TranslateMessage DispatchMessageW 3586->3590 3591 7ff7e8911f44 GlobalFree 3587->3591 3592 7ff7e8911f44 GlobalFree 3588->3592 3593 7ff7e8917e57 GetLastError 3589->3593 3594 7ff7e8917e4b CloseHandle 3589->3594 3590->3582 3595 7ff7e8917cb6 3591->3595 3596 7ff7e8917ec7 3592->3596 3597 7ff7e8915934 21 API calls 3593->3597 3594->3593 3598 7ff7e8911f44 GlobalFree 3595->3598 3599 7ff7e8911f44 GlobalFree 3596->3599 3600 7ff7e8917e71 3597->3600 3601 7ff7e8917cc2 3598->3601 3602 7ff7e8917ed3 3599->3602 3600->3577 3601->3484 3603 7ff7e8917ccb GlobalFree 3601->3603 3604 7ff7e8911f44 GlobalFree 3602->3604 3603->3484 3605 7ff7e8917edf 3604->3605 3606 7ff7e8911f44 GlobalFree 3605->3606 3607 7ff7e8917eeb 3606->3607 3607->3428 3609 7ff7e891a429 3608->3609 3610 7ff7e891a439 Sleep 3609->3610 3613 7ff7e891a44a 3609->3613 3610->3609 3611 7ff7e8919831 ExitProcess 3612 7ff7e891a47c FreeLibrary 3612->3611 3613->3611 3613->3612 3615 7ff7e8916091 GetVersionExW 3614->3615 3615->3324 3615->3325 3619 7ff7e8915234 3616->3619 3623 7ff7e8915074 3616->3623 3617 7ff7e89151bf 3620 7ff7e89151d9 memcpy 3617->3620 3622 7ff7e89151f4 3617->3622 3618 7ff7e89152b1 3618->3345 3619->3618 3621 7ff7e8915295 memcpy 3619->3621 3620->3622 3621->3618 3622->3345 3623->3617 3623->3622 3624 7ff7e8915101 memcpy 3623->3624 3625 7ff7e8915166 memcpy 3623->3625 3624->3623 3625->3623 3627 7ff7e8918e37 3626->3627 3628 7ff7e8918ae4 2 API calls 3626->3628 3629 7ff7e8919107 3627->3629 3630 7ff7e8918ae4 2 API calls 3627->3630 3628->3627 3631 7ff7e891911e GlobalFree 3629->3631 3632 7ff7e891912f 3629->3632 3637 7ff7e8918e4d 3630->3637 3631->3632 3633 7ff7e891915a 3632->3633 3634 7ff7e8919146 GlobalFree 3632->3634 3635 7ff7e8911490 7 API calls 3633->3635 3634->3633 3636 7ff7e891624b 3635->3636 3636->3356 3636->3357 3637->3629 3638 7ff7e8918ae4 2 API calls 3637->3638 3639 7ff7e8918ea6 3638->3639 3640 7ff7e8918eae GetModuleFileNameW 3639->3640 3649 7ff7e89190d9 3639->3649 3642 7ff7e8918ed1 3640->3642 3640->3649 3641 7ff7e89190f6 GlobalFree 3641->3629 3657 7ff7e8919f19 20 API calls 3642->3657 3643 7ff7e8918efe 3644 7ff7e8918f67 3643->3644 3645 7ff7e8918f3f GlobalAlloc 3643->3645 3643->3649 3646 7ff7e891907b 3644->3646 3647 7ff7e8918f91 3644->3647 3648 7ff7e8918f85 GlobalFree 3644->3648 3645->3644 3646->3649 3650 7ff7e89190cd GlobalFree 3646->3650 3655 7ff7e8919e99 20 API calls 3647->3655 3656 7ff7e8919e9f 20 API calls 3647->3656 3648->3647 3649->3629 3649->3641 3650->3649 3651 7ff7e89193d0 _vsnwprintf 3652 7ff7e8919058 3651->3652 3652->3646 3654 7ff7e89193d0 _vsnwprintf 3652->3654 3653 7ff7e8918fcc 3653->3646 3653->3651 3654->3646 3655->3653 3656->3653 3657->3643 3659 7ff7e8918b81 GlobalAlloc 3658->3659 3660 7ff7e8918ba1 3658->3660 3659->3660 3661 7ff7e89162de 3660->3661 3662 7ff7e8918bb6 GlobalFree 3660->3662 3661->3369 3661->3370 3662->3661 3664 7ff7e891258c 3663->3664 3665 7ff7e8918c88 2 API calls 3664->3665 3666 7ff7e89125ca 3664->3666 3665->3666 3666->3410 3668 7ff7e8914ed7 IsCharAlphaNumericW 3667->3668 3670 7ff7e8914eee 3667->3670 3669 7ff7e8914fd9 3668->3669 3668->3670 3669->3417 3670->3669 3671 7ff7e8914fcb 3670->3671 3672 7ff7e8914ff3 3670->3672 3673 7ff7e8915934 21 API calls 3671->3673 3672->3669 3674 7ff7e8915007 3672->3674 3675 7ff7e891202c GlobalFree 3672->3675 3673->3669 3674->3669 3676 7ff7e891500f GlobalAlloc 3674->3676 3675->3674 3676->3669 3678 7ff7e8915332 lstrlenW 3677->3678 3680 7ff7e891535a 3677->3680 3679 7ff7e8918be4 2 API calls 3678->3679 3679->3680 3680->3417 3682 7ff7e8911f99 3681->3682 3683 7ff7e8911fa1 3681->3683 3684 7ff7e891202c GlobalFree 3682->3684 3683->3417 3684->3683 3686 7ff7e8914aa0 3685->3686 3687 7ff7e8914af3 3685->3687 3686->3687 3688 7ff7e8914aa4 GetModuleHandleW 3686->3688 3687->3398 3688->3687 3689 7ff7e8914abc GetProcAddress 3688->3689 3689->3687 3690 7ff7e8914ad7 3689->3690 3690->3687 3692 7ff7e8912fa3 GetACP LoadLibraryW 3691->3692 3693 7ff7e8912f74 3691->3693 3694 7ff7e8912fcc GetProcAddress 3692->3694 3695 7ff7e891302f FormatMessageW 3692->3695 3693->3692 3699 7ff7e8913077 3693->3699 3696 7ff7e8912fe7 GetLocaleInfoW 3694->3696 3697 7ff7e8913020 FreeLibrary 3694->3697 3698 7ff7e8913066 3695->3698 3707 7ff7e8913087 3695->3707 3696->3697 3697->3695 3698->3699 3702 7ff7e8911668 7 API calls 3698->3702 3703 7ff7e89131dd 3699->3703 3704 7ff7e89130cf memset GetVersionExW 3699->3704 3706 7ff7e891324c 3699->3706 3700 7ff7e89193d0 _vsnwprintf 3700->3699 3702->3707 3705 7ff7e89131e7 lstrlenW WriteFile WriteFile 3703->3705 3703->3706 3708 7ff7e891312b 3704->3708 3709 7ff7e8913115 3704->3709 3705->3706 3710 7ff7e8911490 7 API calls 3706->3710 3707->3700 3708->3706 3713 7ff7e89131ca GlobalFree 3708->3713 3709->3708 3712 7ff7e8918ae4 2 API calls 3709->3712 3711 7ff7e891325b 3710->3711 3711->3390 3712->3708 3713->3706 3715 7ff7e8913989 3714->3715 3716 7ff7e8913912 AllocateAndInitializeSid 3714->3716 3719 7ff7e8911490 7 API calls 3715->3719 3717 7ff7e891395d GetLengthSid 3716->3717 3718 7ff7e891394f GetLastError 3716->3718 3720 7ff7e8913978 3717->3720 3721 7ff7e8913990 GetLengthSid 3717->3721 3718->3715 3722 7ff7e89139d9 3719->3722 3720->3715 3723 7ff7e891397d FreeSid 3720->3723 3724 7ff7e89139ab 3721->3724 3722->3472 3722->3473 3723->3715 3724->3715 3725 7ff7e89139b8 FreeSid 3724->3725 3725->3715 3727 7ff7e8911e1d memset 3726->3727 3728 7ff7e8911dff GlobalAlloc 3726->3728 3729 7ff7e8911e18 3727->3729 3728->3729 3729->3498 3731 7ff7e8911f59 3730->3731 3732 7ff7e8911f51 3730->3732 3731->3524 3733 7ff7e891202c GlobalFree 3732->3733 3733->3731 3735 7ff7e8912cd4 3734->3735 3736 7ff7e8912cda memset 3735->3736 3739 7ff7e8912d15 3735->3739 3737 7ff7e89193d0 _vsnwprintf 3736->3737 3738 7ff7e8912d05 3737->3738 3738->3739 3740 7ff7e8915934 21 API calls 3738->3740 3741 7ff7e8911490 7 API calls 3739->3741 3740->3739 3742 7ff7e8912d7c 3741->3742 3742->3530 3742->3531 3744 7ff7e8912a47 GetProcAddress 3743->3744 3745 7ff7e8912a24 LoadLibraryW 3743->3745 3746 7ff7e8912a62 3744->3746 3745->3744 3745->3746 3746->3543 3746->3558 3747 7ff7e891a823 _XcptFilter 3748 7ff7e8919828 3749 7ff7e891982c 3748->3749 3750 7ff7e891a41c 2 API calls 3749->3750 3751 7ff7e8919831 ExitProcess 3750->3751 3752 7ff7e891a0aa 3755 7ff7e8919904 3752->3755 3756 7ff7e8919914 3755->3756 3757 7ff7e8919924 Sleep 3756->3757 3758 7ff7e8919935 3756->3758 3757->3756 3759 7ff7e8919972 3758->3759 3760 7ff7e891994a LoadLibraryW 3758->3760 3761 7ff7e8919979 GetProcAddress 3759->3761 3762 7ff7e8919993 3759->3762 3760->3759 3761->3762 3766 7ff7e8919e29 3767 7ff7e8919e39 3766->3767 3768 7ff7e8919e5a 3766->3768 3770 7ff7e89199b4 3767->3770 3771 7ff7e89199c4 3770->3771 3772 7ff7e89199d4 Sleep 3771->3772 3773 7ff7e89199e5 3771->3773 3772->3771 3774 7ff7e8919a06 3773->3774 3777 7ff7e891a1f0 17 API calls 3773->3777 3775 7ff7e8919a3c 3774->3775 3776 7ff7e8919a22 GetProcAddress 3774->3776 3775->3768 3776->3775 3777->3774 3779 7ff7e8914cac 3782 7ff7e8914e18 3779->3782 3783 7ff7e8914ceb 3779->3783 3780 7ff7e8911490 7 API calls 3781 7ff7e8914e50 3780->3781 3782->3780 3783->3782 3784 7ff7e8914dca lstrcmpW 3783->3784 3784->3782 3785 7ff7e8914de4 lstrcmpW 3784->3785 3785->3782 3786 7ff7e8914dfe lstrcmpW 3785->3786 3786->3782 3787 7ff7e89118ae 3788 7ff7e89118bf 3787->3788 3789 7ff7e89118e2 3787->3789 3788->3789 3790 7ff7e89118db ?terminate@ 3788->3790 3790->3789 3791 7ff7e89180ae RegisterServiceCtrlHandlerW 3792 7ff7e89180fb 3791->3792 3793 7ff7e89180dc GetLastError 3791->3793 3794 7ff7e8915bc8 29 API calls 3792->3794 3793->3792 3795 7ff7e891810d 3794->3795 3796 7ff7e8918111 CreateThread 3795->3796 3797 7ff7e8918161 3795->3797 3798 7ff7e8918144 GetLastError 3796->3798 3799 7ff7e8918163 3796->3799 3800 7ff7e8915bc8 29 API calls 3798->3800 3799->3797 3801 7ff7e8918170 CloseHandle 3799->3801 3800->3797 3801->3797 3802 7ff7e891142e 3803 7ff7e891143d _exit 3802->3803 3804 7ff7e8911446 3802->3804 3803->3804 3805 7ff7e891145b 3804->3805 3806 7ff7e891144f _cexit 3804->3806 3806->3805 3807 7ff7e8911fb0 3808 7ff7e8911fc9 3807->3808 3809 7ff7e8911fba CloseHandle 3807->3809 3809->3808 3813 7ff7e8917ff9 3814 7ff7e891808b 3813->3814 3815 7ff7e891800e 3813->3815 3817 7ff7e8915bc8 29 API calls 3814->3817 3816 7ff7e8913544 4 API calls 3815->3816 3819 7ff7e891801a 3816->3819 3818 7ff7e891809c 3817->3818 3819->3814 3820 7ff7e8918027 SetEvent 3819->3820 3821 7ff7e8918055 3819->3821 3820->3814 3822 7ff7e8915bc8 29 API calls 3821->3822 3823 7ff7e8918064 PostThreadMessageW 3822->3823 3823->3814 3827 7ff7e89111fb 3828 7ff7e8911ad4 6 API calls 3827->3828 3829 7ff7e8911209 GetStartupInfoW 3828->3829 3831 7ff7e891124b 3829->3831 3832 7ff7e891125d 3831->3832 3833 7ff7e891127a Sleep 3831->3833 3834 7ff7e8911287 3832->3834 3835 7ff7e891126d _amsg_exit 3832->3835 3833->3831 3836 7ff7e89112e6 3834->3836 3838 7ff7e89112ea 3834->3838 3848 7ff7e89118fe SetUnhandledExceptionFilter 3834->3848 3835->3836 3837 7ff7e8911309 _initterm 3836->3837 3836->3838 3839 7ff7e8911326 _IsNonwritableInCurrentImage 3836->3839 3837->3839 3840 7ff7e8911394 3839->3840 3841 7ff7e891140f _ismbblead 3839->3841 3842 7ff7e89197b8 232 API calls 3840->3842 3841->3839 3843 7ff7e89113cf 3842->3843 3844 7ff7e89113de exit 3843->3844 3845 7ff7e89113e6 3843->3845 3844->3845 3845->3838 3846 7ff7e89113ef _cexit 3845->3846 3846->3838 3848->3834 3849 7ff7e89194fc 3850 7ff7e8919514 lstrlenW 3849->3850 3852 7ff7e8919532 3849->3852 3851 7ff7e8918be4 2 API calls 3850->3851 3851->3852 3853 7ff7e891207b 3854 7ff7e891207e 3853->3854 3855 7ff7e8912034 GlobalFree 3853->3855 3856 7ff7e8912041 3855->3856 2731 7ff7e8911200 2732 7ff7e8911209 GetStartupInfoW 2731->2732 2760 7ff7e8911ad4 2731->2760 2735 7ff7e891124b 2732->2735 2736 7ff7e891125d 2735->2736 2737 7ff7e891127a Sleep 2735->2737 2738 7ff7e891126d _amsg_exit 2736->2738 2743 7ff7e8911287 2736->2743 2737->2735 2739 7ff7e89112e6 2738->2739 2740 7ff7e8911309 _initterm 2739->2740 2741 7ff7e89112ea 2739->2741 2742 7ff7e8911326 _IsNonwritableInCurrentImage 2739->2742 2740->2742 2744 7ff7e8911394 2742->2744 2745 7ff7e891140f _ismbblead 2742->2745 2743->2739 2743->2741 2752 7ff7e89118fe SetUnhandledExceptionFilter 2743->2752 2753 7ff7e89197b8 2744->2753 2745->2742 2752->2743 2763 7ff7e8919fe0 2753->2763 2754 7ff7e89197f0 SetProcessMitigationPolicy 2755 7ff7e8916068 225 API calls 2754->2755 2756 7ff7e8919820 2755->2756 2757 7ff7e891a41c Sleep FreeLibrary 2756->2757 2758 7ff7e8919831 ExitProcess 2757->2758 2761 7ff7e8911b00 6 API calls 2760->2761 2762 7ff7e8911b7f 2760->2762 2761->2762 2762->2732 2766 7ff7e891985c 2763->2766 2767 7ff7e8919860 2766->2767 2768 7ff7e8919870 Sleep 2767->2768 2769 7ff7e8919881 2767->2769 2768->2767 2770 7ff7e89198c0 GetProcAddress 2769->2770 2771 7ff7e8919896 LoadLibraryExW 2769->2771 2773 7ff7e89198b5 2769->2773 2772 7ff7e89198e2 2770->2772 2771->2770 2771->2773 2773->2770 2773->2772 3857 7ff7e8912900 3858 7ff7e8912934 3857->3858 3859 7ff7e8912999 3858->3859 3861 7ff7e8912754 WideCharToMultiByte 3858->3861 3860 7ff7e89129d0 3859->3860 3862 7ff7e89135d4 18 API calls 3859->3862 3863 7ff7e8911490 7 API calls 3860->3863 3861->3859 3862->3860 3864 7ff7e89129ec 3863->3864 3865 7ff7e8918f06 3866 7ff7e8918f1a 3865->3866 3867 7ff7e89190d9 3866->3867 3868 7ff7e8918f67 3866->3868 3869 7ff7e8918f3f GlobalAlloc 3866->3869 3870 7ff7e8919107 3867->3870 3871 7ff7e89190f6 GlobalFree 3867->3871 3876 7ff7e8918f91 3868->3876 3877 7ff7e8918f85 GlobalFree 3868->3877 3885 7ff7e891907b 3868->3885 3869->3868 3872 7ff7e891911e GlobalFree 3870->3872 3873 7ff7e891912f 3870->3873 3871->3870 3872->3873 3874 7ff7e891915a 3873->3874 3875 7ff7e8919146 GlobalFree 3873->3875 3879 7ff7e8911490 7 API calls 3874->3879 3875->3874 3886 7ff7e8919e99 20 API calls 3876->3886 3887 7ff7e8919e9f 20 API calls 3876->3887 3877->3876 3878 7ff7e89190cd GlobalFree 3878->3867 3880 7ff7e891916f 3879->3880 3881 7ff7e8918fcc 3882 7ff7e89193d0 _vsnwprintf 3881->3882 3881->3885 3883 7ff7e8919058 3882->3883 3884 7ff7e89193d0 _vsnwprintf 3883->3884 3883->3885 3884->3885 3885->3867 3885->3878 3886->3881 3887->3881 3894 7ff7e8914b0c 3897 7ff7e8914b90 lstrlenW 3894->3897 3898 7ff7e8914b21 3897->3898 3899 7ff7e8919f8b 3900 7ff7e8919904 3 API calls 3899->3900 3901 7ff7e8919fa7 3900->3901 3902 7ff7e8912d8e 3903 7ff7e8912dae LoadLibraryW 3902->3903 3904 7ff7e8912dd1 GetProcAddress 3902->3904 3903->3904 3905 7ff7e8912df0 3903->3905 3904->3905 3906 7ff7e8911010 3909 7ff7e8911eb8 InitializeCriticalSection 3906->3909 3908 7ff7e8911019 3909->3908 3910 7ff7e8911c12 3911 7ff7e8911c32 3910->3911 3912 7ff7e891a560 10 API calls 3911->3912 3912->3911 3913 7ff7e891a896 3914 7ff7e891a8dd 3913->3914 3915 7ff7e891a8bb 3913->3915 3915->3914 3916 7ff7e891a8e6 UnhandledExceptionFilter 3915->3916 3916->3914 3917 7ff7e8911fd8 3918 7ff7e8911ff0 3917->3918 3919 7ff7e8911fe4 FreeSid 3917->3919 3919->3918 3920 7ff7e8919dd9 3921 7ff7e8919d69 3920->3921 3922 7ff7e8919de0 3920->3922 3923 7ff7e8919a5c 19 API calls 3922->3923 3924 7ff7e8919dfc 3923->3924 3925 7ff7e8915ddc 3926 7ff7e8915df8 lstrlenW 3925->3926 3927 7ff7e8915e61 3926->3927 3928 7ff7e8915e55 3926->3928 3930 7ff7e8915e7b 3927->3930 3934 7ff7e8915e9d 3927->3934 3929 7ff7e8918b64 2 API calls 3928->3929 3929->3927 3931 7ff7e8915e82 GlobalFree 3930->3931 3943 7ff7e8915e93 3930->3943 3931->3943 3932 7ff7e8915ffc 3933 7ff7e8916003 GlobalFree 3932->3933 3932->3943 3933->3943 3934->3932 3937 7ff7e8915ece CoInitialize 3934->3937 3935 7ff7e8911490 7 API calls 3936 7ff7e8916028 3935->3936 3938 7ff7e8915f11 LoadLibraryExW 3937->3938 3939 7ff7e8915ef2 3937->3939 3940 7ff7e8915f2e SetCurrentDirectoryW 3938->3940 3941 7ff7e8915f43 GetLastError 3938->3941 3942 7ff7e8915ef9 GlobalFree 3939->3942 3939->3943 3940->3941 3944 7ff7e8915f5e SetThreadToken 3940->3944 3941->3944 3945 7ff7e8915f55 3941->3945 3942->3943 3943->3935 3946 7ff7e8915f84 3944->3946 3947 7ff7e8915f72 GetLastError 3944->3947 3945->3944 3948 7ff7e8915fba 3946->3948 3949 7ff7e8915f91 GetProcAddress 3946->3949 3947->3946 3950 7ff7e8915feb CoUninitialize 3948->3950 3951 7ff7e8915fdc FreeLibrary 3948->3951 3949->3948 3952 7ff7e8915fa8 GetLastError 3949->3952 3950->3932 3951->3950 3952->3948 3953 7ff7e8915cdc 3954 7ff7e8915d0d 3953->3954 3955 7ff7e8915d4c 3953->3955 3954->3955 3956 7ff7e8915d12 WideCharToMultiByte 3954->3956 3956->3955 3957 7ff7e89122dc 3960 7ff7e8912327 3957->3960 3958 7ff7e89123fb 3959 7ff7e8911490 7 API calls 3958->3959 3961 7ff7e8912417 3959->3961 3960->3958 3962 7ff7e8912454 4 API calls 3960->3962 3963 7ff7e89123ae 3962->3963 3963->3958 3964 7ff7e89123ea GlobalFree 3963->3964 3964->3958 3965 7ff7e891a95b GlobalFree 3966 7ff7e8919bdf 3967 7ff7e89199b4 19 API calls 3966->3967 3968 7ff7e8919bfc 3967->3968 3972 7ff7e8912ae9 3973 7ff7e8912b1d 3972->3973 3977 7ff7e8912b13 3972->3977 3974 7ff7e8912bb3 WaitForSingleObject 3973->3974 3975 7ff7e8912bd3 3973->3975 3973->3977 3974->3975 3974->3977 3976 7ff7e8913544 4 API calls 3975->3976 3975->3977 3976->3977 3978 7ff7e89114eb RtlCaptureContext RtlLookupFunctionEntry 3979 7ff7e8911577 3978->3979 3980 7ff7e8911535 RtlVirtualUnwind 3978->3980 3983 7ff7e89114b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3979->3983 3980->3979 3984 7ff7e8914bec 3985 7ff7e8914c0a 3984->3985 3986 7ff7e8914bfd 3984->3986 3986->3985 3988 7ff7e8913838 3986->3988 3989 7ff7e891384b SetLastError 3988->3989 3992 7ff7e891386e 3988->3992 3990 7ff7e8913862 3989->3990 3990->3985 3991 7ff7e89138a8 SetLastError 3991->3990 3992->3989 3992->3991 3993 7ff7e891a16b 3994 7ff7e8919b04 19 API calls 3993->3994 3995 7ff7e891a1a3 3994->3995 3996 7ff7e8913af0 StgOpenStorage 3999 7ff7e8913b50 3996->3999 4000 7ff7e8913b66 3996->4000 3997 7ff7e8911490 7 API calls 3998 7ff7e8913e7c 3997->3998 3999->3997 4000->3999 4001 7ff7e8913df3 MultiByteToWideChar 4000->4001 4001->3999 4002 7ff7e891a6f4 4003 7ff7e891a736 __GSHandlerCheckCommon 4002->4003 4004 7ff7e891a74d __C_specific_handler 4003->4004 4005 7ff7e891a75f 4003->4005 4004->4005

    Executed Functions

    Function 00007FF7E8916068 Relevance: 234.5, APIs: 94, Strings: 39, Instructions: 1784registrystringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Global$Free$CompareStringmemset$CloseQueryValue$AllocCommandFileHandleLineTypeVersionlstrlen
    • String ID: /l*$/qb!- REBOOTPROMPT=S$/qn$A$OLEAUT32.dll$OpenProcessToken failed with %d$REBOOT=Force$REBOOT=ReallySuppress$REBOOTPROMPT=""$RUVEH?IJDqXFAtPYZlgmnc$ServerMain (CA): Access to token failed$ServerMain (CA): CoInitializeSecurity failed$ServerMain (CA): Connect to remote object failed.$ServerMain (CA): Connection to Service failed.$ServerMain (CA): Could not open synchronization handle.$ServerMain (CA): Create Custom Action Server failed.$ServerMain (CA): Error: Access to SD$ServerMain (CA): Error: Format SD$ServerMain (CA): Error: Watch for change-of-owning-process signal$ServerMain (CA): Error: Watch for the shutdown signal$ServerMain (CA): Error: icacContext in CA server should be AISImpersonated but is not any impersonated type$ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type$ServerMain (CA): Impersonation token not saved.$ServerMain (CA): Open synchronization event failed$ServerMain (CA): Parsing command line failed$ServerMain (CA): Process not registered with service.$ServerMain (CA): Wait on synchronization event failed$ServerMain (CA): Wrong command line$Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$forcerestart$help$log$norestart$package$passive$promptrestart$quiet$uninstall$update
    • API String ID: 174257794-414071484
    • Opcode ID: d03e7f159ca7830554a359dcaf61971cc37f2a6a050cb34d4e2a2435689f6eee
    • Instruction ID: 69880e4d484d4a850d339ac35b5d6d3b5824eb61636d8d83c65eb7607f4060dc
    • Opcode Fuzzy Hash: d03e7f159ca7830554a359dcaf61971cc37f2a6a050cb34d4e2a2435689f6eee
    • Instruction Fuzzy Hash: BA135D32E0CA829EE720AF20D8402B9F7A1FB4575AFC24132DA4E47B95DF38D545C766
    Function 00007FF7E891A560 Relevance: 9.1, APIs: 6, Instructions: 101libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressDelayLibraryLoadLoadedProcResolvememset
    • String ID:
    • API String ID: 2833715811-0
    • Opcode ID: c336bbc64626cf6acc10d63c40c27c14f3d607f4eb150b479cc6a567ab64b1a8
    • Instruction ID: b29ece8bec12c8204916ce48ade14c7bdc864c4d9d9203a64af3f752736c1e34
    • Opcode Fuzzy Hash: c336bbc64626cf6acc10d63c40c27c14f3d607f4eb150b479cc6a567ab64b1a8
    • Instruction Fuzzy Hash: 1B418322E0DA458AEA10EF11A810779F3A1FB88BD6F964436EE0D07755DF3DE812C719
    Function 00007FF7E89118FE Relevance: 1.5, APIs: 1, Instructions: 7COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 901 7ff7e89118fe-7ff7e8911917 SetUnhandledExceptionFilter
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: ab7e7ed8b22fc635fe768c853d46f40f9f3d5d15748e46d1c957a6409a67a8d5
    • Instruction ID: b35b8c5f35e839bf2a0803aa690329d3cbf7b78626863cec1c454cc97c3fe80d
    • Opcode Fuzzy Hash: ab7e7ed8b22fc635fe768c853d46f40f9f3d5d15748e46d1c957a6409a67a8d5
    • Instruction Fuzzy Hash: 89B02403F070C301D10073700D4400415400F475307CC1554C31CC3DC0CC1CC15D0314
    Function 00007FF7E8918DCC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 614 7ff7e8918dcc-7ff7e8918e3b call 7ff7e8918ae4 617 7ff7e8919118-7ff7e891911c 614->617 618 7ff7e8918e41-7ff7e8918e4f call 7ff7e8918ae4 614->618 620 7ff7e891911e-7ff7e891912a GlobalFree 617->620 621 7ff7e891912f-7ff7e8919144 617->621 618->617 626 7ff7e8918e55-7ff7e8918ea8 call 7ff7e8923070 call 7ff7e8918ae4 618->626 620->621 622 7ff7e891915a-7ff7e8919190 call 7ff7e8911490 621->622 623 7ff7e8919146-7ff7e8919155 GlobalFree 621->623 623->622 632 7ff7e8918eae-7ff7e8918ecb GetModuleFileNameW 626->632 633 7ff7e89190f0-7ff7e89190f4 626->633 632->633 636 7ff7e8918ed1-7ff7e8918f1c call 7ff7e8919f19 632->636 634 7ff7e8919107-7ff7e8919114 633->634 635 7ff7e89190f6-7ff7e8919102 GlobalFree 633->635 634->617 635->634 636->633 639 7ff7e8918f22-7ff7e8918f3d 636->639 640 7ff7e8918f67 639->640 641 7ff7e8918f3f-7ff7e8918f65 GlobalAlloc 639->641 642 7ff7e8918f6f-7ff7e8918f72 640->642 641->642 643 7ff7e8918f78-7ff7e8918f83 642->643 644 7ff7e89190c9-7ff7e89190cb 642->644 645 7ff7e8918f91-7ff7e8918fbf 643->645 646 7ff7e8918f85-7ff7e8918f8c GlobalFree 643->646 647 7ff7e89190d9-7ff7e89190e9 644->647 648 7ff7e89190cd-7ff7e89190d4 GlobalFree 644->648 665 7ff7e8918fc6 call 7ff7e8919e99 645->665 666 7ff7e8918fc6 call 7ff7e8919e9f 645->666 646->645 647->633 648->647 649 7ff7e8918fcc-7ff7e8918fce 650 7ff7e8918fd0-7ff7e8919002 649->650 651 7ff7e891901f-7ff7e891905a call 7ff7e89193d0 649->651 656 7ff7e89190b6-7ff7e89190bd 650->656 657 7ff7e8919008-7ff7e891900c 650->657 655 7ff7e891905c-7ff7e89190b1 call 7ff7e89193d0 call 7ff7e8923008 651->655 651->656 655->656 656->647 659 7ff7e89190bf-7ff7e89190c7 656->659 657->656 660 7ff7e8919012-7ff7e891901b 657->660 659->648 660->651 665->649 666->649
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Global$Free$Alloc$FileModuleName
    • String ID: %d.%d.%.4d.%d
    • API String ID: 906160587-3399825337
    • Opcode ID: 02e69f7bae08479ec80e5be7f179d9694ccf5c4fd234633bba0881401daf2d7b
    • Instruction ID: bd48930df6289c4ce66553466a5839e2f467a63abbc9af167201a1aea6e462bc
    • Opcode Fuzzy Hash: 02e69f7bae08479ec80e5be7f179d9694ccf5c4fd234633bba0881401daf2d7b
    • Instruction Fuzzy Hash: 16A16C32A0CB858AD7609F15E4803AAF7A1FB88B81F924137DA8E43B54DF3CD445CB55
    Function 00007FF7E8918DD0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 667 7ff7e8918dd0-7ff7e8918e2b 668 7ff7e8918e37-7ff7e8918e3b 667->668 669 7ff7e8918e32 call 7ff7e8918ae4 667->669 670 7ff7e8919118-7ff7e891911c 668->670 671 7ff7e8918e41-7ff7e8918e4f call 7ff7e8918ae4 668->671 669->668 673 7ff7e891911e-7ff7e891912a GlobalFree 670->673 674 7ff7e891912f-7ff7e8919144 670->674 671->670 679 7ff7e8918e55-7ff7e8918ea8 call 7ff7e8923070 call 7ff7e8918ae4 671->679 673->674 675 7ff7e891915a-7ff7e8919190 call 7ff7e8911490 674->675 676 7ff7e8919146-7ff7e8919155 GlobalFree 674->676 676->675 685 7ff7e8918eae-7ff7e8918ecb GetModuleFileNameW 679->685 686 7ff7e89190f0-7ff7e89190f4 679->686 685->686 689 7ff7e8918ed1-7ff7e8918f1c call 7ff7e8919f19 685->689 687 7ff7e8919107-7ff7e8919114 686->687 688 7ff7e89190f6-7ff7e8919102 GlobalFree 686->688 687->670 688->687 689->686 692 7ff7e8918f22-7ff7e8918f3d 689->692 693 7ff7e8918f67 692->693 694 7ff7e8918f3f-7ff7e8918f65 GlobalAlloc 692->694 695 7ff7e8918f6f-7ff7e8918f72 693->695 694->695 696 7ff7e8918f78-7ff7e8918f83 695->696 697 7ff7e89190c9-7ff7e89190cb 695->697 698 7ff7e8918f91-7ff7e8918fbf 696->698 699 7ff7e8918f85-7ff7e8918f8c GlobalFree 696->699 700 7ff7e89190d9-7ff7e89190e9 697->700 701 7ff7e89190cd-7ff7e89190d4 GlobalFree 697->701 717 7ff7e8918fc6 call 7ff7e8919e99 698->717 718 7ff7e8918fc6 call 7ff7e8919e9f 698->718 699->698 700->686 701->700 702 7ff7e8918fcc-7ff7e8918fce 703 7ff7e8918fd0-7ff7e8919002 702->703 704 7ff7e891901f-7ff7e891905a call 7ff7e89193d0 702->704 709 7ff7e89190b6-7ff7e89190bd 703->709 710 7ff7e8919008-7ff7e891900c 703->710 708 7ff7e891905c-7ff7e89190aa call 7ff7e89193d0 call 7ff7e8923008 704->708 704->709 716 7ff7e89190b1 708->716 709->700 712 7ff7e89190bf-7ff7e89190c7 709->712 710->709 713 7ff7e8919012-7ff7e891901b 710->713 712->701 713->704 716->709 717->702 718->702
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Global$Free$Alloc$FileModuleName
    • String ID: %d.%d.%.4d.%d
    • API String ID: 906160587-3399825337
    • Opcode ID: a08a1fad544d618311739ca1bdcded878cdbc9abc91d9f20afada6d795820cb7
    • Instruction ID: 0d54f08f1a740c85dda35b0794c2164cfbfe31c860631562d75b1f7ea5e6edff
    • Opcode Fuzzy Hash: a08a1fad544d618311739ca1bdcded878cdbc9abc91d9f20afada6d795820cb7
    • Instruction Fuzzy Hash: CFA17D32A0CA818AD760DF15E4803AAF7A1FB89B81F924137DA8E43B54DF3CD445CB55
    Function 00007FF7E8911200 Relevance: 12.1, APIs: 8, Instructions: 138sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 720 7ff7e8911200 721 7ff7e8911209-7ff7e8911249 GetStartupInfoW 720->721 722 7ff7e8911204 call 7ff7e8911ad4 720->722 724 7ff7e891124b-7ff7e8911256 721->724 722->721 725 7ff7e8911258-7ff7e891125b 724->725 726 7ff7e8911262-7ff7e891126b 724->726 727 7ff7e891127a-7ff7e8911285 Sleep 725->727 728 7ff7e891125d 725->728 729 7ff7e8911287-7ff7e891128f 726->729 730 7ff7e891126d-7ff7e8911275 _amsg_exit 726->730 727->724 728->726 732 7ff7e8911291-7ff7e89112ae 729->732 733 7ff7e89112f4 729->733 731 7ff7e89112fe-7ff7e8911307 730->731 734 7ff7e8911309-7ff7e891131c _initterm 731->734 735 7ff7e8911326-7ff7e8911328 731->735 736 7ff7e89112b2-7ff7e89112b5 732->736 733->731 734->735 737 7ff7e891132a-7ff7e891132c 735->737 738 7ff7e8911333-7ff7e891133b 735->738 739 7ff7e89112b7-7ff7e89112b9 736->739 740 7ff7e89112e6-7ff7e89112e8 736->740 737->738 742 7ff7e891133d-7ff7e891134b call 7ff7e8911a40 738->742 743 7ff7e8911371-7ff7e8911380 738->743 741 7ff7e89112ea-7ff7e89112ef 739->741 744 7ff7e89112bb-7ff7e89112bf 739->744 740->731 740->741 748 7ff7e891145b-7ff7e8911470 741->748 742->743 756 7ff7e891134d-7ff7e8911367 742->756 747 7ff7e8911384-7ff7e891138a 743->747 745 7ff7e89112db-7ff7e89112e4 744->745 746 7ff7e89112c1-7ff7e89112d5 call 7ff7e89118fe 744->746 745->736 753 7ff7e89112d7 746->753 750 7ff7e891138c-7ff7e891138e 747->750 751 7ff7e89113fd-7ff7e8911400 747->751 754 7ff7e8911390-7ff7e8911392 750->754 755 7ff7e8911394-7ff7e8911399 750->755 757 7ff7e891140f-7ff7e8911417 _ismbblead 751->757 758 7ff7e8911402-7ff7e891140b 751->758 753->745 754->751 754->755 761 7ff7e89113a7-7ff7e89113ca call 7ff7e89197b8 755->761 762 7ff7e891139b-7ff7e89113a5 755->762 756->743 759 7ff7e8911419-7ff7e891141c 757->759 760 7ff7e8911421-7ff7e8911429 757->760 758->757 759->760 760->747 764 7ff7e89113cf-7ff7e89113dc 761->764 762->755 765 7ff7e89113de-7ff7e89113e0 exit 764->765 766 7ff7e89113e6-7ff7e89113ed 764->766 765->766 767 7ff7e89113fb 766->767 768 7ff7e89113ef-7ff7e89113f5 _cexit 766->768 767->748 768->767
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
    • String ID:
    • API String ID: 2995914023-0
    • Opcode ID: b3405ba9bf1b6c8b60cc4677538f088acaae8d2acba2d8ee73f51a443fd371b9
    • Instruction ID: fcd0efb0dd834af1f2061162b88a4b0901733844ce2e8312db91634800e7c8ed
    • Opcode Fuzzy Hash: b3405ba9bf1b6c8b60cc4677538f088acaae8d2acba2d8ee73f51a443fd371b9
    • Instruction Fuzzy Hash: 95615D31E0C6469AFB60AB11E844379E3A1FF48786FC61037D94D836A5DF3CE855872A
    Function 00007FF7E8918F06 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 133memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Global$Free$Alloc
    • String ID: %d.%d.%.4d.%d
    • API String ID: 1780285237-3399825337
    • Opcode ID: 75e3eb336131a2feeac37190dcddd72ffeb0e7a34b662413243cd1c5d5b94e16
    • Instruction ID: af1be2bd3f8b62829fd77e689bfc2245d701245ece1f53069dd884aa7a62b140
    • Opcode Fuzzy Hash: 75e3eb336131a2feeac37190dcddd72ffeb0e7a34b662413243cd1c5d5b94e16
    • Instruction Fuzzy Hash: D4613D32A0CA858AD760DF15E4803AAF7A1FB89B85F914137DA8E83B58DF3CD444CB55
    Function 00007FF7E891985C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35librarysleeploaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 827 7ff7e891985c 828 7ff7e8919860-7ff7e891986e 827->828 829 7ff7e8919870-7ff7e891987f Sleep 828->829 830 7ff7e8919881-7ff7e891988f 828->830 829->828 831 7ff7e89198bb-7ff7e89198be 830->831 832 7ff7e8919891-7ff7e8919894 830->832 833 7ff7e89198c0-7ff7e89198e0 GetProcAddress 831->833 835 7ff7e89198e2-7ff7e89198e9 831->835 832->833 834 7ff7e8919896-7ff7e89198b3 LoadLibraryExW 832->834 833->835 836 7ff7e89198f0-7ff7e89198fb 833->836 834->833 837 7ff7e89198b5 834->837 835->836 837->831
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressLibraryLoadProcSleep
    • String ID: COMCTL32$InitCommonControlsEx
    • API String ID: 188063004-472741233
    • Opcode ID: dfbbc47501c9e926adc40f3ed42faa0f5c8afec34d359a1271c10688bb43b704
    • Instruction ID: a198b366fff67bbe01c29138e9aee762839a56ff7e79ebdc07a8518e870ab2ed
    • Opcode Fuzzy Hash: dfbbc47501c9e926adc40f3ed42faa0f5c8afec34d359a1271c10688bb43b704
    • Instruction Fuzzy Hash: A011A524E0EB528DFA15EB04A890374E7E0AF59707FC64477C80E063A1EF3CB555832A
    Function 00007FF7E8919B04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42sleeplibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressProcSleep
    • String ID: VERSION
    • API String ID: 1175476452-2153328089
    • Opcode ID: 4b78a3b84602baaf617cab0f1e701a092df9b29d47d07ecb271cf4272f2e33cd
    • Instruction ID: 72ecd09c20dfeaafd79b42eb5b961f1e468571ea0bf6df1f605ae65186a82017
    • Opcode Fuzzy Hash: 4b78a3b84602baaf617cab0f1e701a092df9b29d47d07ecb271cf4272f2e33cd
    • Instruction Fuzzy Hash: 5E115E21F4D64289FB19E711F851334E6A1AF89B82FC64036C90D47391DF7CB454836A
    Function 00007FF7E8919E99 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: FileInfoVersion
    • String ID: GetFileVersionInfoW
    • API String ID: 2427832333-2839375084
    • Opcode ID: 34ec14fac9a0f478101bc2e98b6ffa20347f39b93ccda09454dc23e251d56db1
    • Instruction ID: 277a297d0308fe295d3a2449a659fbcecd14ebc47eb44f15cd026ef068258493
    • Opcode Fuzzy Hash: 34ec14fac9a0f478101bc2e98b6ffa20347f39b93ccda09454dc23e251d56db1
    • Instruction Fuzzy Hash: 0EF0AF26F1CA5589EB00AB0AE400266E3A0BB89FE1FC90033EE4E43725DE3CD945C794
    Function 00007FF7E8919E9F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 856 7ff7e8919e9f-7ff7e8919eca 857 7ff7e8919ed2-7ff7e8919ed8 856->857 858 7ff7e8919ecd call 7ff7e8919b04 856->858 859 7ff7e8919eda-7ff7e8919efc GetFileVersionInfoW 857->859 860 7ff7e8919eff-7ff7e8919f16 857->860 858->857 859->860
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressFileInfoProcSleepVersion
    • String ID: GetFileVersionInfoW
    • API String ID: 3824450226-2839375084
    • Opcode ID: 421b3e2f00236a42e45061b53ccc93a4ada7b6bbd2490c7aa6d5f2a0107762a5
    • Instruction ID: 071684056b32d31521da82c155093b2320be3981ec7222d1dd0b65841ef6284c
    • Opcode Fuzzy Hash: 421b3e2f00236a42e45061b53ccc93a4ada7b6bbd2490c7aa6d5f2a0107762a5
    • Instruction Fuzzy Hash: A3F09026F1CA5589EB10AB1AE0002A1D760FF8AFE1F891033EE4E47726DD3CD945C7A4
    Function 00007FF7E8919F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressFileInfoProcSizeSleepVersion
    • String ID: GetFileVersionInfoSizeW
    • API String ID: 1244426142-1049618512
    • Opcode ID: cc9d82f2052e14159793106c4286692e0a4072a1f5b6a2e07e9e0303faa10243
    • Instruction ID: b4c0d4f205e98a2175b9d165ee204e8d95ed590ba1c6f47d2d9a69719cfe8af8
    • Opcode Fuzzy Hash: cc9d82f2052e14159793106c4286692e0a4072a1f5b6a2e07e9e0303faa10243
    • Instruction Fuzzy Hash: DDF02015F3CA0985FE00E726A9846E4D3A2AF0CFC2BC90033ED0D03B25DE2CE0498725
    Function 00007FF7E89197A0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Process$ExitMitigationPolicy
    • String ID:
    • API String ID: 3700704341-0
    • Opcode ID: 52af363ce04a9a9eeeb758dbeeeb865ba09bd9b21323276ad8e72a61593e5a5c
    • Instruction ID: ce5d754195c2e4975af0c5f1d544d602cde0236f011cbe099b3018ab2973c094
    • Opcode Fuzzy Hash: 52af363ce04a9a9eeeb758dbeeeb865ba09bd9b21323276ad8e72a61593e5a5c
    • Instruction Fuzzy Hash: 96017172A0D3428EE711AF21D44832CBBA0A784F96FC54076DA0E47292CF7DD548C76A
    Function 00007FF7E89197B8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetProcessMitigationPolicy.KERNELBASE ref: 00007FF7E891980C
      • Part of subcall function 00007FF7E8916068: GetVersionExW.KERNEL32(?,?,?,?,?,00007FF7E8919820), ref: 00007FF7E89160CB
      • Part of subcall function 00007FF7E8916068: GetCommandLineW.KERNEL32(?,?,?,?,?,00007FF7E8919820), ref: 00007FF7E8916114
      • Part of subcall function 00007FF7E8916068: GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7E8919820), ref: 00007FF7E8916159
      • Part of subcall function 00007FF7E8916068: GetFileType.KERNEL32(?,?,?,?,?,00007FF7E8919820), ref: 00007FF7E8916175
      • Part of subcall function 00007FF7E8916068: memset.MSVCRT ref: 00007FF7E89161A2
      • Part of subcall function 00007FF7E8916068: memset.MSVCRT ref: 00007FF7E89161B3
      • Part of subcall function 00007FF7E891A41C: Sleep.KERNEL32 ref: 00007FF7E891A43C
      • Part of subcall function 00007FF7E891A41C: FreeLibrary.KERNEL32 ref: 00007FF7E891A47C
    • ExitProcess.KERNEL32 ref: 00007FF7E8919833
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Processmemset$CommandExitFileFreeHandleLibraryLineMitigationPolicySleepTypeVersion
    • String ID:
    • API String ID: 602188099-0
    • Opcode ID: c7669f763c786de494d069e0ff3be336243fa498b43cf91ea31b1fc52bbf56f9
    • Instruction ID: aa574f592049e4a19eac18016c861cc75cbda974dd88e301469fbe802f993427
    • Opcode Fuzzy Hash: c7669f763c786de494d069e0ff3be336243fa498b43cf91ea31b1fc52bbf56f9
    • Instruction Fuzzy Hash: 3DF06972A1D6018AE710AF21D44833CFBA0A788F96F810135DB0E07392CF7CD6088B6A
    Function 00007FF7E891A1F0 Relevance: 3.0, APIs: 2, Instructions: 26libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: LibraryLoadlstrlenmemset
    • String ID:
    • API String ID: 3555077121-0
    • Opcode ID: 2b8384b4d86d5728898a6951967ce037c9e2f01b717a0382e6ee51062ba76b2a
    • Instruction ID: f113ba4a162b9cf30fe7dc3fd2944e38497b1131f0865249f917cd06cdd3fdf5
    • Opcode Fuzzy Hash: 2b8384b4d86d5728898a6951967ce037c9e2f01b717a0382e6ee51062ba76b2a
    • Instruction Fuzzy Hash: 7EF0B411F1C6458AFA60E721F4953B9E3A0BB8C745FC54032CD8E46795DF3CD504CA15
    Function 00007FF7E8918AE4 Relevance: 2.5, APIs: 2, Instructions: 35memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Global$AllocFree
    • String ID:
    • API String ID: 3394109436-0
    • Opcode ID: 28f6b20f6e245442e9c14a1afeaa0e17bc81082526f95a64ff0aa38333002c26
    • Instruction ID: 6530df4e2140bf5c4fa365fdb8a5ee0d6a7cff83d6e6250d44f3fdcfee1da162
    • Opcode Fuzzy Hash: 28f6b20f6e245442e9c14a1afeaa0e17bc81082526f95a64ff0aa38333002c26
    • Instruction Fuzzy Hash: 5F0178B6F08B4586EB509F11F140278E7A6FB88BC5B9590B2DA4E27788CE3CE4419725

    Non-executed Functions

    Function 00007FF7E891819B Relevance: 82.8, APIs: 37, Strings: 10, Instructions: 502registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7E8915BC8: EnterCriticalSection.KERNEL32(?,?,?,00007FF7E8914C91), ref: 00007FF7E8915BEB
      • Part of subcall function 00007FF7E8915BC8: SetServiceStatus.ADVAPI32(?,?,?,00007FF7E8914C91), ref: 00007FF7E8915C7D
      • Part of subcall function 00007FF7E8915BC8: GetLastError.KERNEL32(?,?,?,00007FF7E8914C91), ref: 00007FF7E8915C8F
      • Part of subcall function 00007FF7E8915BC8: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7E8914C91), ref: 00007FF7E8915CB2
    • RegOpenKeyExW.ADVAPI32 ref: 00007FF7E8918221
    • RegCloseKey.ADVAPI32 ref: 00007FF7E8918235
    • CoUninitialize.OLE32 ref: 00007FF7E8918295
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CriticalSection$CloseEnterErrorLastLeaveOpenServiceStatusUninitialize
    • String ID: CLSID$CoCreateInstance of CLSID_GlobalOptions failed.$ServiceThreadMain: Class registration failed$ServiceThreadMain: CoInitializeSecurity failed$ServiceThreadMain: CreateEvent failed.$ServiceThreadMain: CreateSD for CreateWaitableTimer failed.$ServiceThreadMain: CreateWaitableTimer failed.$ServiceThreadMain: SetWaitableTimer failed.$Set of COMGLB_UNMARSHALING_POLICY failed.$Wait Failed in MsgWait.
    • API String ID: 3418182662-1806920385
    • Opcode ID: 6a3061fa050a037e0777b1285ed955ae12f30a5dc91b458fccddce1972e130ca
    • Instruction ID: 81d5196d6571dbd8be2d3f4b45e3547e630138a29ce162958be70c569cf60f25
    • Opcode Fuzzy Hash: 6a3061fa050a037e0777b1285ed955ae12f30a5dc91b458fccddce1972e130ca
    • Instruction Fuzzy Hash: 94325332E1CB428AE710AB20E8407B9F7A1FB89756FC25176D90D53A94DF3CE405C72A
    Function 00007FF7E8913F08 Relevance: 62.2, APIs: 41, Instructions: 651memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Initialize$Allocate$ErrorLast$DescriptorSecurity$Length$AccessAllocAllowedDaclFreeGlobalGroupMakeOwnerRelativeSelfmemset
    • String ID:
    • API String ID: 184327585-0
    • Opcode ID: 3e53a984ab9a09cdaf87335c43d58d78b36ca20ab92b1818f81e318e6f82d139
    • Instruction ID: f23d41dc989330c1b477baaa8038e5e0ce7b781ab0d46b3c3a0813cbcafc1f4b
    • Opcode Fuzzy Hash: 3e53a984ab9a09cdaf87335c43d58d78b36ca20ab92b1818f81e318e6f82d139
    • Instruction Fuzzy Hash: 74625136E0C6818EE720FF60E5442AEFBA5FB49789F910136DA4E07A54CF39D508CB15
    Function 00007FF7E8915934 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 134registrystringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Value$CloseErrorLast$CreateDebugFreeGlobalOutputQueryStringlstrlenmemset
    • String ID: %s$($Debug$Error: %d. %s.$LastError$LastErrorMessage$P$Software\Microsoft\Windows\CurrentVersion\Installer\CA$Software\Policies\Microsoft\Windows\Installer
    • API String ID: 1456213479-33229316
    • Opcode ID: 1934c46f858a6605f24a883dcfe5e12d7309760ec1ca82aa7b59e2518b9afcdb
    • Instruction ID: b23694c12d3ee973b33adfa9a5ef48a9e4e6cdc939cb860149ab6c57573b1c49
    • Opcode Fuzzy Hash: 1934c46f858a6605f24a883dcfe5e12d7309760ec1ca82aa7b59e2518b9afcdb
    • Instruction Fuzzy Hash: 8C712A32E0CA82CAE750AF54F8407A9FBA1FB89756F824136DA8D43A64DF7CD144CB15
    Function 00007FF7E8912F1C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 183libraryfilestringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: FileFreeLibraryWritememset$AddressCaptureContextEntryFormatFunctionGlobalInfoLoadLocaleLookupMessageProcUnwindVersionVirtual__raise_securityfailurelstrlen
    • String ID: GetUserDefaultUILanguage$Install error %i$KERNEL32
    • API String ID: 1645863135-2065445882
    • Opcode ID: cb9bb31495b8f7418fba3d82e575b9c5bee1116f59fb527b316a64f763e2fb35
    • Instruction ID: 290e8fc3155bda4360310e9d771b88bcacf5e00963cd9dc61f1947c904db0988
    • Opcode Fuzzy Hash: cb9bb31495b8f7418fba3d82e575b9c5bee1116f59fb527b316a64f763e2fb35
    • Instruction Fuzzy Hash: 44915432A08B82CAE710AF21E4443B9FBA1FB89B56F824236DA5D437A4DF3CD505C715
    Function 00007FF7E89135D4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135libraryloaderwindowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Library$AddressByteCaptureCharContextDefaultEntryFormatFreeFunctionLangLoadLookupMessageMultiProcSystemUnwindVirtualWide__raise_securityfailurememset
    • String ID: ISMIF32.DLL$InstallStatusMIF$Installer error %i
    • API String ID: 3890946596-4237920443
    • Opcode ID: d0e0cacd27651c0e51c91a67122bb4a75c903495f50469f0a13e5b486bf0ac05
    • Instruction ID: ccc765cd81209268d5685fff4a885fcc4aa8dd019e606daf4e1a64db1af4c566
    • Opcode Fuzzy Hash: d0e0cacd27651c0e51c91a67122bb4a75c903495f50469f0a13e5b486bf0ac05
    • Instruction Fuzzy Hash: 25516021E1CB428AF710AB11B844779F6A1FB89796F864236DD5E03BA4DF3CD045C72A
    Function 00007FF7E89120BC Relevance: 15.1, APIs: 10, Instructions: 90threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Token$CloseCurrentErrorHandleLastOpenProcessThread$AdjustLookupPrivilegePrivilegesValue
    • String ID:
    • API String ID: 268630328-0
    • Opcode ID: 01e3451ac3059f7399d387cbb32b3dfd5507bde4beffe63b6664a9d4632ba818
    • Instruction ID: f1da58a44ef5b8c28a9cb237182ddd406ed1940f4f0e869762e8cf31790ea18f
    • Opcode Fuzzy Hash: 01e3451ac3059f7399d387cbb32b3dfd5507bde4beffe63b6664a9d4632ba818
    • Instruction Fuzzy Hash: AC414C32A18B81CAE750AF51E4402AEFBA1FB89B92F869136DE4E43714CF3CD445CB15
    Function 00007FF7E89138C8 Relevance: 9.1, APIs: 6, Instructions: 72memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AllocateErrorFreeInitializeLastLength
    • String ID:
    • API String ID: 1611457584-0
    • Opcode ID: be8ae4226a28a24042c069a42d2651baacb3a613f5850007bf3a0631a8d9883c
    • Instruction ID: 965fa836d08304622dce336a7394e496505dcbb970fc3ced9c299ecbd63cb61d
    • Opcode Fuzzy Hash: be8ae4226a28a24042c069a42d2651baacb3a613f5850007bf3a0631a8d9883c
    • Instruction Fuzzy Hash: E8314832E18A51CEEB50AB60E8442ADFBB4FB49B85F824532DE4D53B14CF3CE4458B65
    Function 00007FF7E8911AD4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 4104442557-0
    • Opcode ID: 15334446d3bfe052334fd3d83ac7d76e9822e339985e01ed7196eec3a427d2b1
    • Instruction ID: f036332619209b95e156197fad815de98fa2c15c21e9c364c46603782f8ee23f
    • Opcode Fuzzy Hash: 15334446d3bfe052334fd3d83ac7d76e9822e339985e01ed7196eec3a427d2b1
    • Instruction Fuzzy Hash: 8A113621B08F418EEB00EF70E894368B3A4FB49759F811A35EA5E47794DF7CD5948354
    Function 00007FF7E8912A08 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: DllGetClassObject$Msi.dll
    • API String ID: 2574300362-3279299384
    • Opcode ID: 7a7f4cc9762f0404d66fa210fedae559aaa315c470d181184e87cda7238815a7
    • Instruction ID: de0f911755b971b5629fda7c9e00682c0cc7f7bf570b56dd0a9ea2d3b20cb5af
    • Opcode Fuzzy Hash: 7a7f4cc9762f0404d66fa210fedae559aaa315c470d181184e87cda7238815a7
    • Instruction Fuzzy Hash: D2214726E0DB4AC9EA00AB55E840365E7A1FB89B86F824537DA0D03370EF3CE845C725
    Function 00007FF7E89191BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Value$CloseErrorLast$CreateCtrlDispatcherFreeGlobalQueryServiceStartlstrlen
    • String ID: MSIServer$StartServiceCtrlDispatcher failed.
    • API String ID: 2998827721-520530687
    • Opcode ID: c59ed3f7e2a149577dac8587c8409470a3f41718c65d3b8651e9717f3779eb6e
    • Instruction ID: 96d915b4d63685debe46826e4f28464631e85eb8198e38a03c37cd37f4010657
    • Opcode Fuzzy Hash: c59ed3f7e2a149577dac8587c8409470a3f41718c65d3b8651e9717f3779eb6e
    • Instruction Fuzzy Hash: 98F0E766F1CB01CAEB40AB50E8483B8F6A5FB58712FC24136C61D46350EF3D9955C76A
    Function 00007FF7E8913AF0 Relevance: 3.2, APIs: 2, Instructions: 221COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: OpenStorage
    • String ID:
    • API String ID: 222319337-0
    • Opcode ID: 9dd22f2db73f029518cdd49393d27bb62fb0fb2953de28639cf637c3d8d2440c
    • Instruction ID: 148045e97819133d423cc11f4fc53ef61a11ecf4ebcca56749e71bacce873f42
    • Opcode Fuzzy Hash: 9dd22f2db73f029518cdd49393d27bb62fb0fb2953de28639cf637c3d8d2440c
    • Instruction Fuzzy Hash: C6A17B36F08A09CAEB109F6AD4407ADB7B1FB48BC9B424126CE0D57B64DF39D504C765
    Function 00007FF7E8915DDC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 155librarystringloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: FreeGlobal$ErrorLast$Library$AddressAllocCurrentDirectoryInitializeLoadProcThreadTokenUninitializelstrlen
    • String ID: DllRegisterServer
    • API String ID: 1316943176-1663957109
    • Opcode ID: 6f3edc7648352c623a582051d70f155c2298b9925c4d64724b4387f3909674c8
    • Instruction ID: c8f145015ade146d0207736023620262cbb66d05ace16089a4dfe346976b3808
    • Opcode Fuzzy Hash: 6f3edc7648352c623a582051d70f155c2298b9925c4d64724b4387f3909674c8
    • Instruction Fuzzy Hash: 11519631E1CA42CAE7206B55E940379E6A1FF89B86F878136DA4E47794DF3CD4408626
    Function 00007FF7E891A330 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: ErrorLast$Library$AddressDirectoryFreeLoadProcSystem
    • String ID: GetSystemWow64DirectoryW$kernel32.dll
    • API String ID: 2916345467-1816364905
    • Opcode ID: 38b1984afccf70b739797175a4c4a5f79872d147ea3478e830a9498960fe5fb1
    • Instruction ID: 81c64c6e1254a4232948f15dd7091befab00ec6fa0e584d30292a72234629cb9
    • Opcode Fuzzy Hash: 38b1984afccf70b739797175a4c4a5f79872d147ea3478e830a9498960fe5fb1
    • Instruction Fuzzy Hash: FA214221E0DA42CAF7106B11A844379EA91FB8DB92BC68136C94E47354DF7CE846872A
    Function 00007FF7E891A4B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 44COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID:
    • String ID: KERNEL32.DLL$ResolveDelayLoadedAPI$ResolveDelayLoadsFromDll$api-ms-win-core-delayload-l1-1-1.dll
    • API String ID: 0-3594434003
    • Opcode ID: 6b239a1baf1f41045e421fdd87f65cc076a6d0727055c4f8a4304b728ac76abb
    • Instruction ID: fa8eca73e1d09c3ee60d7746bd4885f8ebc99e4a28e4d7c8b945e1846c485c36
    • Opcode Fuzzy Hash: 6b239a1baf1f41045e421fdd87f65cc076a6d0727055c4f8a4304b728ac76abb
    • Instruction Fuzzy Hash: 36112E20E4D74659FD15B710A6503B8E2926F44782FDA5436C80D0A795EE7CF850822A
    Function 00007FF7E89180AE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51registrythreadCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: ErrorLast$CreateCtrlHandlerRegisterServiceThread
    • String ID: MSIServer$RegisterServiceCtrlHandler failed.
    • API String ID: 1655486688-870239898
    • Opcode ID: b2b1f7dcce0eb2376bba565d5b97fdf5dbd66057a7efad85d9a978250082064c
    • Instruction ID: 274a5243ab7f959356e66897676d11a629b019bdcb0a72315a1abac2dede4df3
    • Opcode Fuzzy Hash: b2b1f7dcce0eb2376bba565d5b97fdf5dbd66057a7efad85d9a978250082064c
    • Instruction Fuzzy Hash: 6B215031E1CB42CAF750AB10F8012B9F691EF49766FC68276C91D136A0DF3CA145876A
    Function 00007FF7E8913280 Relevance: 11.4, APIs: 9, Instructions: 148stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: lstrlen$Global$Free$Alloc
    • String ID:
    • API String ID: 1395816572-0
    • Opcode ID: 668792ee54a1b49304227f55d51ffe2347cdf3a3d805d71e0306c8ef54d9d055
    • Instruction ID: 64ebeefe44fa0ec4dbd05ea8ee94d7fa553419831d921fafc0ad6f66b05b3862
    • Opcode Fuzzy Hash: 668792ee54a1b49304227f55d51ffe2347cdf3a3d805d71e0306c8ef54d9d055
    • Instruction Fuzzy Hash: 98711021E0CA468EE610AB25E8803B9F7A1FF89B56F864133D94E43265DF3CE545C729
    Function 00007FF7E8913544 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: FreeLibrary$AddressHandleModuleProc
    • String ID: Msi.dll$QueryInstanceCount
    • API String ID: 1227796897-1207408768
    • Opcode ID: f1349819d9c6486063a1e120f8d81926f278f2e7c32421e298db31df53d9dc2b
    • Instruction ID: 4c0536fb48caa607e621055b97b39078f36b88bb862d2bcf36bf569e33694c7b
    • Opcode Fuzzy Hash: f1349819d9c6486063a1e120f8d81926f278f2e7c32421e298db31df53d9dc2b
    • Instruction Fuzzy Hash: 3F011A22E2DA42CAEA006B20E840379F662FF89B46FC29432D54E47264CF3CD045C725
    Function 00007FF7E8914CAC Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 125stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: lstrcmp
    • String ID: *$d$mewuifsoarpcvxgh!
    • API String ID: 1534048567-4240403005
    • Opcode ID: 7dedc2b983e11988325de8d7993be4d00050d57ab70692e2ed95e52a84574ce0
    • Instruction ID: 96ac9ce527d40e00c509060463809f0b503b180a59194548b590e2de268f7bf8
    • Opcode Fuzzy Hash: 7dedc2b983e11988325de8d7993be4d00050d57ab70692e2ed95e52a84574ce0
    • Instruction Fuzzy Hash: 40411E62E1C65189EB216F119640375E6A2FF48B92FC68036DE4E07A80DF3CE881C765
    Function 00007FF7E8915BC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CriticalSection$AddressEnterErrorFreeHandleLastLeaveLibraryModuleProcServiceStatus
    • String ID: SetServiceStatus failed.
    • API String ID: 2790535729-1344523210
    • Opcode ID: 1230dbb4035e627e326862703a5e925e3ea7e4a73df9a64648f7d83e94656031
    • Instruction ID: a8b8ac86964edd99a093caf577c4962d7f3fba735ce440fb8bcb0c86f579ea3b
    • Opcode Fuzzy Hash: 1230dbb4035e627e326862703a5e925e3ea7e4a73df9a64648f7d83e94656031
    • Instruction Fuzzy Hash: 3231E575E1C6428AEB60BF55F890278FAA1AB88746FD74137C90D43260DF3CA445CB2A
    Function 00007FF7E8914A8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressHandleModuleProcVersion
    • String ID: HeapSetInformation$Kernel32.dll
    • API String ID: 3310240892-3460614246
    • Opcode ID: e06b0d96157770a1b07050612fd5048407fe3fa93e44e060f159265d7615af8e
    • Instruction ID: 3979f056950bc5f0dd752cfcfa0a603259bda377ece0f34c18e200a511ea6679
    • Opcode Fuzzy Hash: e06b0d96157770a1b07050612fd5048407fe3fa93e44e060f159265d7615af8e
    • Instruction Fuzzy Hash: 1FF01D71E0D6428AFB047B54A845778EBA2FF89B02BC69036C90E03664DF7CA015C72E
    Function 00007FF7E89152DC Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 201COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: memcpy
    • String ID: RUVEH?IJDqXFAtPYZlgmnc
    • API String ID: 3510742995-3312014676
    • Opcode ID: 6832e74108f691214abf77114a38d05b580e507a555a7f4506417be30c4c9d20
    • Instruction ID: 35d4b40e37581c5baa15ca989ea065217e10d77dbfd897c0f68cc59a39dcf0b2
    • Opcode Fuzzy Hash: 6832e74108f691214abf77114a38d05b580e507a555a7f4506417be30c4c9d20
    • Instruction Fuzzy Hash: 9771BD27F0AB4589EB55EF95E4402B9F3A0EB48F84B868432DA5D03795EF3CE541C325
    Function 00007FF7E89157BF Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 83COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: _wcsicmpmemset
    • String ID: '$PackageCode$rpoedcamusv
    • API String ID: 2241082953-3710158643
    • Opcode ID: 9916245b60fe63e4baf26bf2d59dc9197fba7a455b37bcfbcba3cfb3deffdb07
    • Instruction ID: 4fcaa60ae900dd09608cd023c225273d0419ec3293963a26e86a03ca70d0264e
    • Opcode Fuzzy Hash: 9916245b60fe63e4baf26bf2d59dc9197fba7a455b37bcfbcba3cfb3deffdb07
    • Instruction Fuzzy Hash: BE31A262E0D6828AEB20AB60D8503F8F7A0EB8575AFC74037C64E47594DF3CD545C716
    Function 00007FF7E8912D8E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: DllGetClassObject$Msi.dll
    • API String ID: 2574300362-3279299384
    • Opcode ID: 893df179fb33a4be07870beaa0bb73193369531d23840f6915495b247665a893
    • Instruction ID: 9b2d3dc8503b2dc6cf479b41c1f4f2beda140bf6c1dd6aaf1b936ded805bfe56
    • Opcode Fuzzy Hash: 893df179fb33a4be07870beaa0bb73193369531d23840f6915495b247665a893
    • Instruction Fuzzy Hash: 8D41272AA19B0AC9EB00AF15E8403A9E771FB89F96F824133DA0D07364DF3DD405C329
    Function 00007FF7E8919904 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarysleeploaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressLibraryLoadProcSleep
    • String ID: COMCTL32
    • API String ID: 188063004-3719691325
    • Opcode ID: 00dff6005eda7ee8aadd4f1cc6cb64e4eaa46939875f1bf53faa5944decd763d
    • Instruction ID: b4af059feb185e9e320c74130542785aa565b7d1df6572af1d8eedd5a3bc4ebe
    • Opcode Fuzzy Hash: 00dff6005eda7ee8aadd4f1cc6cb64e4eaa46939875f1bf53faa5944decd763d
    • Instruction Fuzzy Hash: C0117021E0D6428AEF14AB15F990374E7E0AF49B46FC68036C90E07395DF3CA454876A
    Function 00007FF7E8911490 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: 490ce7c50a8e91f8c655fb75a019fbf1c3b37b72a524ee5533afb72fceb4fd44
    • Instruction ID: 3e4e26548fdc6534794a0fa04e136e5ce4362198373a4f50c4d7595ccd2164c8
    • Opcode Fuzzy Hash: 490ce7c50a8e91f8c655fb75a019fbf1c3b37b72a524ee5533afb72fceb4fd44
    • Instruction Fuzzy Hash: 2B41A135E08B01C5EA50AB18F880369F7A4FB88795FD24137D98E42B65DF3CE444C72A
    Function 00007FF7E89111FB Relevance: 6.1, APIs: 4, Instructions: 72sleepCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_inittermexit
    • String ID:
    • API String ID: 1267577977-0
    • Opcode ID: 91652315ba1fe01f8a8ece5ff59dbdf3c3f9a09bce4cf743121d1b7903586ae2
    • Instruction ID: 390f329b79f70980b16f5854776f70c0caf9c8644b07f9be1d5aa7490283c0a0
    • Opcode Fuzzy Hash: 91652315ba1fe01f8a8ece5ff59dbdf3c3f9a09bce4cf743121d1b7903586ae2
    • Instruction Fuzzy Hash: 2F31A021E0C6469AF760BB11E840379E3A1FF44392FC61033D95D83AA5DF3CE861832A
    Function 00007FF7E89114EB Relevance: 6.1, APIs: 4, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: 8036299c976cbf79c85cdaf7c77a2991928e780fec2f487019bb539a5fcbceb1
    • Instruction ID: bad973f80810181fc766b7a88eb6517dab18c2b74e94241226680e87d1de9436
    • Opcode Fuzzy Hash: 8036299c976cbf79c85cdaf7c77a2991928e780fec2f487019bb539a5fcbceb1
    • Instruction Fuzzy Hash: 2D31D135A08B41C5EA00EB18F88036AF7A4FB88795F914137DA8E43B65DF3CE448C729
    Function 00007FF7E8911668 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
    • String ID:
    • API String ID: 140117192-0
    • Opcode ID: 5ee8373863b9369710b00ab6f7017c7510acf0e01d4016d202edef6e17d6c05a
    • Instruction ID: 84512b265071f31528ffca55dc1a535f5ebe063ef2b6bf20d332ccd70d7d1827
    • Opcode Fuzzy Hash: 5ee8373863b9369710b00ab6f7017c7510acf0e01d4016d202edef6e17d6c05a
    • Instruction Fuzzy Hash: 9D21CC35A08B4186E640AB04F880369E7A0FB88786F920137EA8D42B64DF3DE044C769
    Function 00007FF7E8914EB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AlphaCharNumeric
    • String ID: Property value is too long.
    • API String ID: 1535711457-2228807622
    • Opcode ID: 8e0ad987d59236390a4f43091e0f694375a61cd59cd5f835ced690290484a853
    • Instruction ID: 5371f14183a9777ef094f47004b1e67a0d67e3cb0f7f99bf1395e2c435644e29
    • Opcode Fuzzy Hash: 8e0ad987d59236390a4f43091e0f694375a61cd59cd5f835ced690290484a853
    • Instruction Fuzzy Hash: 3C41B516E1C56289EA64AB459650378F291EB08B93BCA4133EA9D477C0DF3CE851C336
    Function 00007FF7E89199B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42sleeplibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressProcSleep
    • String ID: KERNEL32
    • API String ID: 1175476452-1217789123
    • Opcode ID: 38c5cfa0107da9405b392d4bc92fa26bb61fbe6a5fa62d6bbdd67ebadddc9319
    • Instruction ID: 0b976bac90691b447d296e74c0f0635cfab4f733e7227951607cb71f66501b52
    • Opcode Fuzzy Hash: 38c5cfa0107da9405b392d4bc92fa26bb61fbe6a5fa62d6bbdd67ebadddc9319
    • Instruction Fuzzy Hash: 59115B21F0D68289FF15A715B951374E6A0AF09B82FC68036C90E473A5EF7CB458832A
    Function 00007FF7E8919A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42sleeplibraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1704607522.00007FF7E8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E8910000, based on PE: true
    • Associated: 00000000.00000002.1704593717.00007FF7E8910000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704622754.00007FF7E891B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704637002.00007FF7E891F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1704651245.00007FF7E8922000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e8910000_msiexec.jbxd
    Similarity
    • API ID: AddressProcSleep
    • String ID: OLE32
    • API String ID: 1175476452-2276369563
    • Opcode ID: b016953d975994a3ed2598a1728dbb971f069d0f324b54cc20d20637c5f59208
    • Instruction ID: d2d15cbcc7a14d5f50ab9722fdedb188b983cb2166b327b6e9b3e3c6c63ecbc3
    • Opcode Fuzzy Hash: b016953d975994a3ed2598a1728dbb971f069d0f324b54cc20d20637c5f59208
    • Instruction Fuzzy Hash: 0A115E21E0D64289FF19AB11F951335E6A0AF49B86FCA8036C90D47391DF3CB558876A