Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AccessDatabaseuser.exe

Overview

General Information

Sample name:AccessDatabaseuser.exe
Analysis ID:1591991
MD5:46b666e01d7ea03bc65ec5e1249f7d4b
SHA1:0aa027c5d00ca67dd85eafeeb7ab245226331823
SHA256:86fecfce83469b3f40ee93e0b54f433209c2bf5626d7f475761024e3f2d4a324
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:true
Confidence:100%

Compliance

Score:48
Range:0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • AccessDatabaseuser.exe (PID: 5176 cmdline: "C:\Users\user\Desktop\AccessDatabaseuser.exe" MD5: 46B666E01D7EA03BC65EC5E1249F7D4B)
  • msiexec.exe (PID: 3248 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1880 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1372 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CD MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6140 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLLJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    There are no malicious signatures, click here to show all signatures.

    Compliance

    barindex
    Uses 32bit PE files
    Source: AccessDatabaseuser.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    PE / OLE file has a valid certificate
    Source: AccessDatabaseuser.exeStatic PE information: certificate valid
    Uses new MSVCR Dlls
    Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to behavior
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: AccessDatabaseuser.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: o\x86\ship\0\mso.dll\scpobfu\mso.pdb source: MSO.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
    Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdb source: AccessDatabaseuser.exe
    Source: Binary string: t:\mso\x86\ship\0\mso.pdb source: MSO.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: t:\mso\x86\ship\0\mso.pdbo\x86\ship\0\mso.dll\scpobfu\mso.pdb)Z source: MSO.DLL.2.dr
    Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdbhip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDBzy source: MSI127D.tmp.0.dr
    Source: Binary string: \ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb\ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: 6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\mainca.PDB source: MSI547B.tmp.2.dr
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDB source: MSI127D.tmp.0.dr
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
    Source: global trafficTCP traffic: 192.168.2.6:57101 -> 1.1.1.1:53
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: MSO.DLL.2.drString found in binary or memory: http://beta.blogger.com/feeds/default/blogsatom:link
    Source: MSO.DLL.2.drString found in binary or memory: http://nonexistant/proppanel.xsn
    Source: AccessDatabaseuser.exe, 00000000.00000002.2507836334.00000000079F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://office.microsof
    Source: MSO.DLL.2.drString found in binary or memory: http://officelive.com/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/chart3http://purl.oclc.org/ooxml/officeDocument/customXml
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram1http://purl.oclc.org/ooxml/drawingml/lockedCanvas.http:
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/picture.http://purl.oclc.org/ooxml/presentationml/main:http://p
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/bibliography1http://purl.oclc.org/ooxml/drawingml/chartDra
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/customPropertiesVj
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/docPropsVTypes
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/extendedProperties
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/attachedTemplate
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/audiovideo?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/calcChainchartsheets/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartchart
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheet
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/commentAuthors
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/comments
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/controlembeddings/package?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customProperties
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customProperty
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXml/drs/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlProps
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramColors
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramLayoutquickStyleHeader?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramQuickStylecolorsHeader?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/endnotes
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLink
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkPath
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/font
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/fontTablefooter?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/footer
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/footnotesglossary/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/frameafChunk?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/glossaryDocument
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/handoutMasterslideMasters/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/header
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/htmlPubSaveAs
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlink
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/imagemedia?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeHeaderSource
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeRecipientData
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/notesSlide
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/numberingsettings
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/oleObjectuserXmlData?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinition
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheRecords
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotTable
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/presPropsslides/slide?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/queryTable
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/settings
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStringstables/table?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sheetMetadatapivotCache/pivotCacheDefinition
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/slideUpdateUrl
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/slideslideUpdateInfo/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/styles
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCells
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tabletableSingleCells?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tags
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/themeOverridetheme?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/themethemeThumbnail
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/transformthemeManager
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/usernamesvolatileDependencies
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/videohdphoto?
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/viewPropstags/
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/volatileDependencies
    Source: MSO.DLL.2.drString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/worksheetxmlMaps
    Source: MSO.DLL.2.drString found in binary or memory: http://schemas.google.com/g/2005#post
    Source: MSO.DLL.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: MSO.DLL.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: MSO.DLL.2.drString found in binary or memory: http://uri.etsi.org/01903#SignedProperties
    Source: MSO.DLL.2.drString found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
    Source: MSO.DLL.2.drString found in binary or memory: http://www.blogger.com/feeds/default/blogs
    Source: MSO.DLL.2.drString found in binary or memory: http://www.passport.com/NameSpace.xsd
    Source: MSO.DLL.2.drString found in binary or memory: http://www.typepad.com/t/api
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/features/external-parameter-entitieshttp://xml.org/sax/features/external-general-
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/features/lexical-handler/parameter-entities
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/features/namespaces
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/properties/lexical-handler
    Source: MSO.DLL.2.drString found in binary or memory: http://xml.org/sax/properties/lexical-handlero12:itemID
    Source: MSO.DLL.2.drString found in binary or memory: https://docs.live.net/SkyDocsService.svcU
    Source: MSO.DLL.2.drString found in binary or memory: https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%Applic
    Source: MSO.DLL.2.drString found in binary or memory: https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCod
    Source: MSO.DLL.2.drString found in binary or memory: https://www.google.com/accounts/ClientLogin
    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL, type: DROPPED
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\594d15.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI51B9.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{90140000-00D1-0409-0000-0000000FF1CE}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI541B.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI542C.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI547B.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5612.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T50LY6O0Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9Y4YXQIYJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9Y4YXQIY\NGBHLPX0Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifestJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.policyJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F58.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\594d17.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\594d17.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\pubpol181.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\pubpol182.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\GACLock.datJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI51B9.tmpJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39CFE20_2_2D39CFE2
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39BE630_2_2D39BE63
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39E1600_2_2D39E160
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D3939EF0_2_2D3939EF
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39C8EB0_2_2D39C8EB
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39C3A70_2_2D39C3A7
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: String function: 2D385E3A appears 92 times
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: String function: 2D38F7B1 appears 64 times
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: String function: 2D392906 appears 35 times
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: basic-16 executable not stripped
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: DitPack archive data
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: iAPX 286 executable large model (COFF) not stripped
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: unknown readable demand paged pure executable
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: ARC archive data, uncompressed
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: DitPack archive data
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: iAPX 286 executable large model (COFF) not stripped
    Source: MSOINTL.DLL.2.drStatic PE information: Resource name: None type: 68k Blit mpx/mux executable
    Source: MSI547B.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: ACERECR.DLL.2.drStatic PE information: No import functions for PE file found
    Source: STSLISTI.DLL.2.drStatic PE information: No import functions for PE file found
    Source: MSOINTL.DLL.2.drStatic PE information: No import functions for PE file found
    Source: MSOINTL.REST.IDX_DLL.2.drStatic PE information: No import functions for PE file found
    Source: MSOINTL.DLL.IDX_DLL.2.drStatic PE information: No import functions for PE file found
    Source: OFFICE.ODF.2.drStatic PE information: No import functions for PE file found
    Source: AccessDatabaseuser.exe, 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs AccessDatabaseuser.exe
    Source: AccessDatabaseuser.exeBinary or memory string: OriginalFilename vs AccessDatabaseuser.exe
    Source: AccessDatabaseuser.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: STSLISTI.DLL.2.drStatic PE information: Section .rsrc
    Source: classification engineClassification label: clean6.winEXE@8/72@0/0
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D387E35 GetDiskFreeSpaceExA,0_2_2D387E35
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D373001 CLSIDFromProgID,CoCreateInstance,0_2_2D373001
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D37EC30 FindResourceA,GetLastError,__CxxThrowException@8,LoadResource,LockResource,SysAllocString,0_2_2D37EC30
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile created: C:\Program Files (x86)\MSECache\AceRedistJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Access Database user 2010 (0).logJump to behavior
    Source: AccessDatabaseuser.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile read: C:\Users\user\Desktop\AccessDatabaseuser.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\AccessDatabaseuser.exe "C:\Users\user\Desktop\AccessDatabaseuser.exe"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 C
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CD
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CDJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000Jump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msxml3.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: I accept the terms in the License Agreement
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: Install
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: OK
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: AccessDatabaseuser.exeStatic PE information: certificate valid
    Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
    Source: AccessDatabaseuser.exeStatic file information: File size 26557232 > 1048576
    Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to behavior
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: AccessDatabaseuser.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: AccessDatabaseuser.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: o\x86\ship\0\mso.dll\scpobfu\mso.pdb source: MSO.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
    Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdb source: AccessDatabaseuser.exe
    Source: Binary string: t:\mso\x86\ship\0\mso.pdb source: MSO.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: t:\mso\x86\ship\0\mso.pdbo\x86\ship\0\mso.dll\scpobfu\mso.pdb)Z source: MSO.DLL.2.dr
    Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdbhip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDBzy source: MSI127D.tmp.0.dr
    Source: Binary string: \ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb\ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
    Source: Binary string: 6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\mainca.PDB source: MSI547B.tmp.2.dr
    Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDB source: MSI127D.tmp.0.dr
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38784B LoadLibraryA,GetProcAddress,FreeLibrary,0_2_2D38784B
    Source: STSLIST.DLL.2.drStatic PE information: section name: .rtext
    Source: ACEES.DLL.2.drStatic PE information: section name: .rtext
    Source: ACEEXCH.DLL.2.drStatic PE information: section name: CURSORS
    Source: ACEEXCH.DLL.2.drStatic PE information: section name: BASE
    Source: EXPSRV.DLL.2.drStatic PE information: section name: user
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39294B push ecx; ret 0_2_2D39295E
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38F889 push ecx; ret 0_2_2D38F89C
    Source: msvcr90.dll.2.drStatic PE information: section name: .text entropy: 6.922045894978299
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile created: C:\Users\user\AppData\Local\Temp\MSI127D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI51B9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXEJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI542C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F58.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5612.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODFJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI547B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F58.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5612.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI51B9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI547B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI542C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODFJump to dropped file
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D388222 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_2D388222
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI127D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI51B9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXEJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI542C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F58.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5612.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODFJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI547B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLLJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLLJump to dropped file
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-17281
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-14831
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: MSO.DLL.2.drBinary or memory string: Whgfse
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAPI call chain: ExitProcess graph end nodegraph_0-15492
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeAPI call chain: ExitProcess graph end nodegraph_0-15086
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38F7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_2D38F7A3
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38784B LoadLibraryA,GetProcAddress,FreeLibrary,0_2_2D38784B
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38EBE3 GetProcessHeap,HeapFree,0_2_2D38EBE3
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38F7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_2D38F7A3
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D3970F3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_2D3970F3
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D38F26F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_2D38F26F
    Source: MSO.DLL.2.drBinary or memory string: Shell_TrayWnd
    Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RemoveProgManItems
    Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CreateProgManItems
    Source: AccessDatabaseuser.exe, 00000000.00000003.2151144618.0000000001178000.00000004.00000020.00020000.00000000.sdmp, AccessDatabaseuser.exe, 00000000.00000003.2151282677.0000000001189000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Removing Program Manager items
    Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Removing Program Manager items|
    Source: AccessDatabaseuser.exe, 00000000.00000003.2151144618.0000000001178000.00000004.00000020.00020000.00000000.sdmp, AccessDatabaseuser.exe, 00000000.00000003.2151282677.0000000001189000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Creating Program Manager itemsde
    Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Creating Program Manager itemsI
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: GetLocaleInfoA,0_2_2D39DD43
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D39295F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_2D39295F
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeCode function: 0_2_2D382FF7 _memset,GetVersionExA,GetVersionExA,GetVersionExA,GetLastError,__CxxThrowException@8,GetSystemDefaultLangID,GetUserDefaultLangID,GetModuleFileNameW,0_2_2D382FF7
    Source: C:\Users\user\Desktop\AccessDatabaseuser.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		2
    Native API    		1
    DLL Side-Loading    		2
    Process Injection    		31
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		2
    Process Injection    		LSASS Memory21
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS11
    Peripheral Device Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials26
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    File Deletion    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 process2 2 Behavior Graph ID: 1591991 Sample: AccessDatabaseuser.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 0 5 msiexec.exe 505 93 2->5         started        8 AccessDatabaseuser.exe 14 2->8         started        file3 16 Microsoft.Office.interop.access.dao.dll, PE32 5->16 dropped 18 Policy.12.0.Micros...erop.Access.Dao.dll, PE32 5->18 dropped 20 C:\Windows\WinSxS\InstallTemp\...\msvcr90.dll, PE32 5->20 dropped 24 42 other files (none is malicious) 5->24 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        14 msiexec.exe 5->14         started        22 C:\Users\user\AppData\Local\...\MSI127D.tmp, PE32 8->22 dropped process4

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    AccessDatabaseuser.exe0%VirustotalBrowse
    AccessDatabaseuser.exe0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL3%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLL0%ReversingLabs
    C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXE0%ReversingLabs
    C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL0%ReversingLabs
    C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\MSI127D.tmp0%ReversingLabs
    C:\Windows\Installer\MSI51B9.tmp0%ReversingLabs
    C:\Windows\Installer\MSI542C.tmp0%ReversingLabs
    C:\Windows\Installer\MSI547B.tmp0%ReversingLabs
    C:\Windows\Installer\MSI5612.tmp0%ReversingLabs
    C:\Windows\Installer\MSI6F58.tmp0%ReversingLabs
    C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll0%ReversingLabs
    C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll0%ReversingLabs
    C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll0%ReversingLabs
    C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll0%ReversingLabs
    C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://purl.oclc.org/ooxml/officeDocument/relationships/diagramLayoutquickStyleHeader?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlink0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/imagemedia?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/videohdphoto?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/drawingml/picture.http://purl.oclc.org/ooxml/presentationml/main:http://p0%Avira URL Cloudsafe
    http://schemas.google.com/g/2005#post0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/handoutMasterslideMasters/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/controlembeddings/package?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/notesSlide0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/extendedProperties0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/themethemeThumbnail0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/externalLink0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/calcChainchartsheets/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/attachedTemplate0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/endnotes0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStringstables/table?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/commentAuthors0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/drawingml/chart3http://purl.oclc.org/ooxml/officeDocument/customXml0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/customXml/drs/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/comments0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/bibliography1http://purl.oclc.org/ooxml/drawingml/chartDra0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/fontTablefooter?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheet0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/drawingml/diagram1http://purl.oclc.org/ooxml/drawingml/lockedCanvas.http:0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/docPropsVTypes0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/header0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/tags0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/slideslideUpdateInfo/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/usernamesvolatileDependencies0%Avira URL Cloudsafe
    http://beta.blogger.com/feeds/default/blogsatom:link0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlProps0%Avira URL Cloudsafe
    http://xml.org/sax/features/lexical-handler/parameter-entities0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeRecipientData0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/diagramColors0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/themeOverridetheme?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/styles0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheRecords0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/chartchart0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/sheetMetadatapivotCache/pivotCacheDefinition0%Avira URL Cloudsafe
    http://www.passport.com/NameSpace.xsd0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/customProperty0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/oleObjectuserXmlData?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/slideUpdateUrl0%Avira URL Cloudsafe
    https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%Applic0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/pivotTable0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/presPropsslides/slide?0%Avira URL Cloudsafe
    https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCod0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinition0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/frameafChunk?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/customProperties0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/queryTable0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/viewPropstags/0%Avira URL Cloudsafe
    http://xml.org/sax/properties/lexical-handlero12:itemID0%Avira URL Cloudsafe
    http://uri.etsi.org/01903#SignedProperties0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/diagramQuickStylecolorsHeader?0%Avira URL Cloudsafe
    http://xml.org/sax/features/external-parameter-entitieshttp://xml.org/sax/features/external-general-0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/footnotesglossary/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/htmlPubSaveAs0%Avira URL Cloudsafe
    http://office.microsof0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/numberingsettings0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/volatileDependencies0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/settings0%Avira URL Cloudsafe
    http://officelive.com/0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/transformthemeManager0%Avira URL Cloudsafe
    http://uri.etsi.org/01903/v1.3.2#0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/worksheetxmlMaps0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/audiovideo?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/tabletableSingleCells?0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeHeaderSource0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/footer0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/glossaryDocument0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkPath0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCells0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/relationships/font0%Avira URL Cloudsafe
    http://purl.oclc.org/ooxml/officeDocument/customPropertiesVj0%Avira URL Cloudsafe
    http://nonexistant/proppanel.xsn0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://purl.oclc.org/ooxml/officeDocument/extendedPropertiesMSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/notesSlideMSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/imagemedia?MSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/diagramLayoutquickStyleHeader?MSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlinkMSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/handoutMasterslideMasters/MSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://purl.oclc.org/ooxml/officeDocument/relationships/controlembeddings/package?MSO.DLL.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/soap/envelope/MSO.DLL.2.drfalse
      		high
      http://purl.oclc.org/ooxml/drawingml/picture.http://purl.oclc.org/ooxml/presentationml/main:http://pMSO.DLL.2.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://purl.oclc.org/ooxml/officeDocument/relationships/themethemeThumbnailMSO.DLL.2.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.com/accounts/ClientLoginMSO.DLL.2.drfalse
        		high
        http://schemas.google.com/g/2005#postMSO.DLL.2.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://xml.org/sax/features/namespace-prefixesMSO.DLL.2.drfalse
          		high
          http://www.typepad.com/t/apiMSO.DLL.2.drfalse
            		high
            http://purl.oclc.org/ooxml/officeDocument/relationships/videohdphoto?MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/calcChainchartsheets/MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/bibliography1http://purl.oclc.org/ooxml/drawingml/chartDraMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/customXml/drs/MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStringstables/table?MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/endnotesMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/attachedTemplateMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/commentAuthorsMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/commentsMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/drawingml/chart3http://purl.oclc.org/ooxml/officeDocument/customXmlMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheetMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/fontTablefooter?MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/docPropsVTypesMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/drawingml/diagram1http://purl.oclc.org/ooxml/drawingml/lockedCanvas.http:MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/headerMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/tagsMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/slideslideUpdateInfo/MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://beta.blogger.com/feeds/default/blogsatom:linkMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlPropsMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/usernamesvolatileDependenciesMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://xml.org/sax/features/lexical-handler/parameter-entitiesMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeRecipientDataMSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://purl.oclc.org/ooxml/officeDocument/relationships/themeOverridetheme?MSO.DLL.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://docs.live.net/SkyDocsService.svcUMSO.DLL.2.drfalse
              		high
              http://purl.oclc.org/ooxml/officeDocument/relationships/diagramColorsMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/sheetMetadatapivotCache/pivotCacheDefinitionMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheRecordsMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/stylesMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/chartchartMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/customPropertyMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.passport.com/NameSpace.xsdMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://purl.oclc.org/ooxml/officeDocument/relationships/pivotTableMSO.DLL.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/MSO.DLL.2.drfalse
                		high
                http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinitionMSO.DLL.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCodMSO.DLL.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://purl.oclc.org/ooxml/officeDocument/relationships/slideUpdateUrlMSO.DLL.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://xml.org/sax/features/namespacesMSO.DLL.2.drfalse
                  		high
                  http://purl.oclc.org/ooxml/officeDocument/relationships/oleObjectuserXmlData?MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/frameafChunk?MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/presPropsslides/slide?MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocumentMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/queryTableMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/customPropertiesMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/viewPropstags/MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://uri.etsi.org/01903#SignedPropertiesMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://xml.org/sax/properties/lexical-handlero12:itemIDMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/footnotesglossary/MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/settingsMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/htmlPubSaveAsMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/numberingsettingsMSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://office.microsofAccessDatabaseuser.exe, 00000000.00000002.2507836334.00000000079F0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://officelive.com/MSO.DLL.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.blogger.com/feeds/default/blogsMSO.DLL.2.drfalse
                    		high
                    http://purl.oclc.org/ooxml/officeDocument/relationships/diagramQuickStylecolorsHeader?MSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xml.org/sax/features/external-parameter-entitieshttp://xml.org/sax/features/external-general-MSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/volatileDependenciesMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/transformthemeManagerMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://uri.etsi.org/01903/v1.3.2#MSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/worksheetxmlMapsMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/tabletableSingleCells?MSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/audiovideo?MSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkPathMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/glossaryDocumentMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeHeaderSourceMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/footerMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCellsMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/relationships/fontMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://purl.oclc.org/ooxml/officeDocument/customPropertiesVjMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nonexistant/proppanel.xsnMSO.DLL.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://xml.org/sax/properties/lexical-handlerMSO.DLL.2.drfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1591991
                      Start date and time:2025-01-15 16:20:14 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 16s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:AccessDatabaseuser.exe
                      Detection:CLEAN
                      Classification:clean6.winEXE@8/72@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 60%
                      • Number of executed functions: 45
                      • Number of non-executed functions: 72
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197, 52.149.20.212
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      • Report size getting too big, too many NtSetValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLLhttps://download.brother.com/welcome/dlfp100270/cltw10100a.exeGet hashmaliciousUnknownBrowse
                        C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLLhttps://download.brother.com/welcome/dlfp100270/cltw10100a.exeGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLLhttps://download.brother.com/welcome/dlfp100270/cltw10100a.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Config.Msi\594d16.rbs

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:modified
                            Size (bytes):530141
                            Entropy (8bit):4.817426866212445
                            Encrypted:false
                            SSDEEP:6144:oIuF+D6zvOCmDoarvNj71RdVJ5QJKfE1V5pjVEMYJ0CFstNWeTgT+Y0PZ5L+mhQa:o7Z
                            MD5:8A902E436C747B7D58262B7172D6AA51
                            SHA1:A35781F0E30AAE5283397EC2D7B0A3AE9139C9A8
                            SHA-256:A3EF3D646165BECC8E635C83AD74D46ED407EBE583699A1E3CC80B104014DD9E
                            SHA-512:AC88A97DE7716769AE07A2545EBC2A277911A581F889E7C7E9E89A1B22F6F6A068CA915FEF9072BED7AF1615CD30CFC44D921574BF95E6230592E8E9226DC110
                            Malicious:false
                            Reputation:low
                            Preview:...@IXOS.@.....@.R/Z.@.....@.....@.....@.....@.....@......&.{90140000-00D1-0409-0000-0000000FF1CE}/.Microsoft Access database user 2010 (English)..AceRedist.msi.@.....@g....@.....@........&.{05CF0009-88BA-4D1A-86DA-5DE0B6FAEFF2}.....@.....@.....@.....@.......@.....@.....@.......@..../.Microsoft Access database user 2010 (English)......Rollback..Rolling back installation..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{398E906A-826B-48DD-9791-549C649CACE5}&.{90140000-00D1-0409-0000-0000000FF1CE}.@......&.{A6D1C76C-5B2F-4D54-8682-95738E88B3AC}&.{90140000-00D1-0409-0000-0000000FF1CE}.@......&.{88D5AF78-19C6-4D47-B4EC-5BAF83D02E92}&.{90140000-00D1-0409-0000-0000000FF1CE}.@......&.{1CDB09B8-58BA-46B5-B334-0F38167D3AC1}&.{90140000-00D1-0409-0000-0000000FF1CE}.@......&.{C6715366-3AA7-4E71-A4BC-A2DBC3CD387E}&.{90140000-00D1-0409-0000-0000000FF1CE}.@......&.{77F30F62-59C5-4A99-A003-700584527465}&.{90140000-00D1-0409-0000-00000

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):196520
                            Entropy (8bit):3.753723863615446
                            Encrypted:false
                            SSDEEP:3072:MRZnGkviXjj80ggbjD1UECecjgQd999oW:awNKg01
                            MD5:57AEA755AF17E7FEEC88CC9C6DF34A86
                            SHA1:9C87A768E9C808444AC1F3F70B1994704844B00B
                            SHA-256:0C1A2237AEC785322AE37A7C4BABA8AC57277AA5EC5AA9FBF6869B4BC337553E
                            SHA-512:85ED5F9AFD163E2D944CE2ECBD5E56EC0EA95EB88D7EF82DD96F659EF7C21467C217820AD24C9441255FD505A6363C3BC1DF3F1E9032B3265709A96A6377F4DA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Reputation:moderate, very likely benign file
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=\.y=..y=..y=..^...{=..pE..z=..y=..^=..pE..x=..pE..{=..pE..u=..pE..x=..pE..x=..pE..x=..Richy=..........PE..L...3..K...........!......................... .....;......................... ............@.............................N.......<....@..<.......................0.......8...............................@............................................text...f........................... ..`.data...T....0......................@....rsrc...<....@......................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):51632
                            Entropy (8bit):4.466389822271565
                            Encrypted:false
                            SSDEEP:768:HVSFg9T1uDGTpRNz/5sJ+YL35YYXrabS2DuRPnMi2jpvW:1SEsyhziJTL35linyM95W
                            MD5:6B228FAB530430AE7152500D238C20FE
                            SHA1:28063BDD02282D2909FBD93A3BA04EE77AA88A39
                            SHA-256:1CA7B6B024F64E43DD1E14DC667E76D3E48B649C4119777E30112B5E54DB7B8D
                            SHA-512:4F4560BEB337ADA91F41D801A0E99C77D9F729AA8FD0E30419F14E5B297BBE2473618D488999E39500DA9A2A8CA62D827A757CAAEDF28B8D485B897540B7A2D7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Reputation:moderate, very likely benign file
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=\b.y=..y=..y=..^.w.{=..pE..z=..y=..[=..pE..x=..pE..{=..pE..x=..pE..x=..pE..u=..pE..x=..Richy=..................PE..L...K:.K...........!.........................0....q;......................................@.........................<.......l"..<....@..T.......................$....%..8...............................@............................................text...t........................... ..`.data...X....0......................@....rsrc...T....@......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):20432
                            Entropy (8bit):5.1271470036934925
                            Encrypted:false
                            SSDEEP:384:Dz6KD4mw5Q8S8dGCVxqR9cGCXEWW6MlWKLXci2jXHUoJd:f6KD4mw5Q8PdhxqR649Mi2jXHUE
                            MD5:86EFA17A232685397C9A8F8D42DC5ED3
                            SHA1:56E57D92EBE6ED42938EEBCD517DF0A0C70EAA0A
                            SHA-256:FF5015328F1D632585B38A7096DF0DC710B32B744227A14570C0ED0C4CAFA1CF
                            SHA-512:BFCA427F2D1F960F1750E244759B33677B40B2689B2BD7CD0C044926D8342B9E972BA484C5F79858659E6D6E08E032B8A792227542D2D9653BFAF39AB7DA010D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W...W...W...^|R.V...^|T.V...^|Q.V...RichW...........PE..L....6.K...........!.........6...............................................`......}.....@......................... ...4............ ..$2...........8...............................................................................................rdata..............................@..@.rsrc...$2... ...4..................@..@.....6.K........W...T...T............6.K....H...........................ACERECR.DLL.RSDS..o....J.`.....>....D:\office\Target\ACE\X86\ship\1033.pre\acerecr.PDB.acerecr.pdb..............................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):854128
                            Entropy (8bit):4.949201225668175
                            Encrypted:false
                            SSDEEP:12288:XRmLWu06UEPvhjlhu9kHY5jtdKMyWnZ5z39jjyaoK:XRm7UEnH49kH+tdTIaoK
                            MD5:156A5A97CB5391CA8ABD03A6EEB45B6B
                            SHA1:29ECF920FC05F288C5DEC67E7EA2DDAECD8D07B6
                            SHA-256:FBFB03025734AD84BE663DBE75D52F7DC9871AAE1F582E07E2210C7B1BCBBEE5
                            SHA-512:5823518FD642644CA400579411850BFCE4D02E7E3457D3D4C783D53D9158D8CF54DE828B043055F8B1A3730A321CD643F0F1116695A01C69B4CA9016BA63B03D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&..u..u..u...u..u...u..u..u..u...u..u...u..u...u..u...u..u...u..u...u..uRich..u................PE..L.....P...........!.....f...........j.............:......................... ......Y.....@.........................\o..P....o..<.......................p.......<....t..8...........................H...@............................................text...ve.......f.................. ..`.data....q.......p...j..............@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2499680
                            Entropy (8bit):6.044446425373023
                            Encrypted:false
                            SSDEEP:24576:RkLHgZpJk5S/vz4abLCj6eMfgpxjREUNn89nlbFyKfilKxOqZou:RkLHkJk5+CEL9lbFzfvZou
                            MD5:47DBD73563490D9828E596F86DBE31EB
                            SHA1:A8EA4D08C0C1481CE97FD18A8A38E9B3BE5AF3F7
                            SHA-256:C941C6F013A6847EFB4674DB8D028E2B17F56FED240029A5696D23D83BAFFD5C
                            SHA-512:CF5D62CDAB3B450A1C0676FD4AEA7F99A8DCCA7BFF1271FF4764868C43568CD2AF6644DBDFE099FF133387EAE42BC3CE5D7C6C944A76C0AA2F6500977080EC71
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W..W..W..^||.V..^|z.V..W.y.V..^|..V..RichW..................PE..L...v<.P...........!..........&....................9.........................0&......P&...@.......................................... ....&...........&.`...............8............................................................................text...............................@..@.rsrc.....&.. ....&.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):55680
                            Entropy (8bit):4.869093237347097
                            Encrypted:false
                            SSDEEP:1536:DyeRlCBm+j9POROulFnU/kvEnshMV9dj4w95D:Dm+KkvEshMV9Z4w95D
                            MD5:8E81A111FC922524F7A3FF9679A2626C
                            SHA1:D01D7C61D537848DEB177D2382471C04D7BBC1F4
                            SHA-256:77EC6E1DDE0D20F8A02C9A2D20B4F2BF806BB382FFE2977A000987F99E483BD4
                            SHA-512:DD4418973B9184FFB6D5873E4AC2570332AC29F2A235CBF79FC09A21721E685474CF3739DA5ABB9B7DA50F4C5AACD2C1FCDE51FB40AC927C4EB0BCB8F80ACCE1
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W...W...W...^|R.V...^|T.V...^|Q.V...RichW...........PE..L....VIK...........!.................................................................V....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1388416
                            Entropy (8bit):5.051999983508193
                            Encrypted:false
                            SSDEEP:12288:lcji8e43+V30ZGtlSb7XoTonuEZT8FRCas+DuTTCM1rX2Uu:yjoPVqwgMEXoFsasiETu
                            MD5:656DCD78613F7716BA4EAA5A5F3DA4FD
                            SHA1:A6D32A5F0148E251298C145DA5B16DF6F4C6C089
                            SHA-256:BBE053F7FA668F5177002DF53A0C43A18DEBE7A4F15A2E2B62968E114022EBE9
                            SHA-512:6EA71CF15AB4CDBE458EBA035EE63196B03FAA306676E50AE2A54B01760E174C5EC631D78558BF9519E17A8DD33B05E4A6E9FFED89CEA62333CD76280C528D16
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W...W...W...^|R.V...^|T.V...^|Q.V...RichW...........PE..L....VIK...........!.........................................................@......G&....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1843816
                            Entropy (8bit):6.58873367940625
                            Encrypted:false
                            SSDEEP:49152:dsIe2OWReRcTwbKl3cGdBdi8h3cLda5RmhYU1:k2OhRsw2rTU+sLOmq8
                            MD5:96B518B62E482D74404D5F1F8C240D8F
                            SHA1:242D49EE16F77EE297C6F70D9371E4367A709FB7
                            SHA-256:CC403B95CA190153D829FC5605B09E8C5398A5EAB52B5F553E798A5CF4FE647D
                            SHA-512:FD5E97CC9E88416712376FBCDACC0BA39A218774DD0C3128B989726C48BAEA6B20DE1C64B1A6A0ED78C4BCA7BC3CDF8C9708EA9DAC3FB45AFDE552630EFC1303
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O......................VM.....raH......VK................D/...|Z......VZ.....V].Y....VL......VJ......VO.....Rich............................PE..L....Y"Q...........!.................X.......@.....4.......................... ......v....@.............................................................h...........h...8...............................@...................h........................text............................... ..`.data...<........N..................@....rsrc...............................@..@.reloc...............&..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):544920
                            Entropy (8bit):6.361519985458099
                            Encrypted:false
                            SSDEEP:6144:x4J20DX6qhIAq04x4au344ELsrx0PIpQWjC8u+MGQfqpyToP1hOqqV8i7EVW5n:6J2rqhIAqNx4YPIbW2M9xG+
                            MD5:CC98FD9B25BE402A9C9ED9B32B0EE65A
                            SHA1:6132E99E062CDD38386A6ADEAF80FC219C815BA3
                            SHA-256:F72F11766BB445BD09A098F481E2BF0380F130A8F6A19CEA48FA3C2B0363579B
                            SHA-512:4B6E968B2BE96A8E110F31A2DDF002872189A0559EF0F1F5458AB414879875FEFFE93E43BBE99E7A2533F850A86A56BE963B2A3F646F87FF65AA2DB5B5F73DFF
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&..G.G.G.....G.?y..G.<.|..G.?...G..n..G.....G.G.HG.?n..G.?i..G.?x..G.?~..G.?{..G.Rich.G.........................PE..L....Y"Q...........!.........p...............0....I;.........................p............@.............................q...............h............6..........._......8...........................0...@...............L... ...@....................text...u........................... ..`.rdata..............................@..@.data.... ..........................@....rsrc...h...........................@..@.reloc..._.......`..................@..B........................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37000
                            Entropy (8bit):5.95155452052304
                            Encrypted:false
                            SSDEEP:768:6suhMhbm3aj5Qqp9QecUM5nepP1Vnlc+8tVqOXOH/+9MQnFiN:qmhiqd99QecBnepP1VqNqOXOH/OMQFk
                            MD5:2328DAB740F3058B0BC040AAD2839F82
                            SHA1:4DB709051101AABA648964152D8319AE22DBF018
                            SHA-256:D293B39FF640806AAD93EE3C0E8D868CF1FD7F5AC0B1AB5389F2C67C2BF281FE
                            SHA-512:ECBF6AC141B88E1CC2A6E536B31322CC6B44C2EE21D6BB7B5B3D52C2C9BB464528B4B6EB39398714111C106066DC888F4CCA25098B9C6A261793A3C86BDF5F70
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nC..*"..*"..*"..#Z*.)"...m/.+"..#Z,.+".....""..*"..n"..#Z=.,"..4p=.+"..#Z:.:"..#Z+.+"..#Z-.+"..#Z(.+"..Rich*"..................PE..L....Y"Q...........!.....b...........b.............;................................t.....@..........................j......$l..d....................v..........,...`q..8...........................xH..@....................k..@....................text....a.......b.................. ..`.data................f..............@....rsrc................h..............@..@.reloc..,............r..............@..B................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):647816
                            Entropy (8bit):6.50038271256333
                            Encrypted:false
                            SSDEEP:12288:fIU6G4s8HvmNw7EhGOGrdZlI0EVSVa9H89vjgYE1Uhfk9HJds3KUvNx3z:fIUfm7EhG1VnvjgYE1UQM3Bvz
                            MD5:89F04D75CEB70DEAB2C8D47E15F906C0
                            SHA1:9E446147005A9A7B7F11F39F2F831EEB20E64884
                            SHA-256:236D1696D354E5C1DEFFDD054DF1AA34641C6938BC6F854D69206BCCE36483E9
                            SHA-512:801A7CD5355BAB95753DD3CBA1CA61F0E679858A0C96CA3F730FEC6DBB618F1EB8B1EA57A28956A88CE7017E397FEA92A6E098B38A83D5B8959E9B7628DB2861
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t...S..r...}f!.p....Q$.u...}f'.s...S..y...t...D...}f1.d...jL6.q...}f6.....}f .u...}f&.u...}f#.u...Richt...........................PE..L....Y"Q...........!.........<.....................:......................................@.........................4............................................j......8...............................@...............x.......@....................text............................... ..`.data...T.... ...<..................@....rtext..L............P..............@....rsrc................R..............@..@.reloc...j.......l...\..............@..B........................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):335488
                            Entropy (8bit):6.150025799390155
                            Encrypted:false
                            SSDEEP:6144:i1hOv9vcTu7gBCXZTsa2KnhOL8QfaggevjqB12J6d+K6g89a4UM9:i1hOv9v3gg+Kw8QOevjqB1Q6MgOf
                            MD5:D32C20FEB3D64EC5089F236D33A1085E
                            SHA1:FC2E07BB38DE7930C2DB8136C5EF958B57129C4D
                            SHA-256:A021D7AAF7B2B092D8261E5527D46737297133076B477E465D4E3895B0210DDB
                            SHA-512:B1D27602206A52D0907C6DBC90386CDA88580F5E689E7E050E130EABA9D17C45154BA4CD65A70373F9BE653885B163EF6723AFADC1D9A9357DA79527DEFED68F
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Un.4...4...4..<{...4...L...4...L...4....{..4...4..D4...f...4...L...4...L...4...L...4...L...4...L...4..Rich.4..................PE..L....Y"Q...........!.........t...............0.....;.........................P......(>....@.........................l...`.................................... ...#......8...........................P)..@.......................`....................text...#........................... ..`CURSORS............................. ..`BASE.....C...p...D...V.............. ..`.data....D.......<..................@....rsrc...............................@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):646368
                            Entropy (8bit):6.4012103251120624
                            Encrypted:false
                            SSDEEP:12288:pKpSQ7k2f52toU3zg9I0ETQrLyWpV7BliKrMnY2VW7Sz+U34VeM9kt00cIL:UC2f5qj8ft7DiK8Y2LM9g04
                            MD5:0DF4C75F989A6BD872FB1748EBC78C5B
                            SHA1:88CCE5ACD03E8A5B4E51980C4BF0E40FEA6F245D
                            SHA-256:FF2F548DFE8B2F9BD6A23567618D2C16DCE31AA7098DDB438212162B9A305D4C
                            SHA-512:BD73E0A9AD9E2E922CA577768DDB761FAC6D70560672C786CDB78FC0E4624DEFEA82905D444F5FBAB837D20F4B952599F25FAEDAEC3D10BA65789B8C1C900118
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rG.p6&.#6&.#6&.#...#2&.#?^n#2&.#.ik#7&.#?^h#<&.#...#=&.#6&.#.'.#(ty#3&.#?^~#(&.#?^y#`&.#?^o#7&.#?^i#7&.#?^l#7&.#Rich6&.#........................PE..L......Q...........!.........:......R ............y;.........................0............@.........................$...X...h........p..LO.......................d..,...8...............................@...............@...|........................text............................... ..`.data...`........:..................@....rsrc...LO...p...P..................@..@.reloc...d.......f...\..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):279696
                            Entropy (8bit):6.187651099619222
                            Encrypted:false
                            SSDEEP:6144:cUSIfxXcPgItf81u6PR/9YhoRsHiTsUITSlOLWa:cUfxMNtf8o6IZTj
                            MD5:5A77F7C098483B429B51EA528352385B
                            SHA1:910D853666175F0BE0C6904DF46252CDF997FF20
                            SHA-256:F92F2DF951FAAAC1CDAC9C310999C88335DB66090D7D4696E63108A1B6D90952
                            SHA-512:337F3F3EDB8372B9BD2F56A62494AF275972BBDA6B70A1917E4CF4E3B4D9B31E585DA31FBD684C4563700FF7A66FB9A8C4A43AE081F45A5F48C2A1775FB79B4F
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,.Guh.)&h.)&h.)&OOR&f.)&v.&i.)&OOG&i.)&OOD&j.)&a.&k.)&h.(&z.)&..&i.)&a.&a.)&a.&`.)&a.&i.)&a.&i.)&a.&Y.)&a.&i.)&Richh.)&........PE..L......Q...........!.....(........................j;.........................P............@.................................,'.......................*.......0..8...(7..8............................B..@....................%.......................text....'.......(.................. ..`.data....^...@...Z...,..............@....rsrc...............................@..@.reloc..8....0......................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):15536
                            Entropy (8bit):6.386167857098985
                            Encrypted:false
                            SSDEEP:192:hwkbQBT5m3XGt+wCXdlRW4iN5WzojS6T49LP0nWxs/nGfe4pBjS7:h7bQBVa2UPNlRW4iN5WuKMnC0GftpBj
                            MD5:5CCBE894C2780CA8E595AF2AAE5BC3DC
                            SHA1:5B7C0BC00884FD1F8E9AC6E0C92CFA835957DF43
                            SHA-256:7CA0D67CBE38258DA5DF41C1277BE03150CE718FB9C67E3971F74661DF33EE10
                            SHA-512:36FBFC8F1B6298D5291D947466DD33112515B143AA0CD3613D7655234CD1AFE80B717137DEE1C54F8C78B35D78B86A18C913A82C93751EE423B4A7737AD4F858
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.AY.|.Y.|.Y.|.~...[.|.Pv..\.|.Y.}.|.|.Pv..X.|.Pv..[.|.Pv..X.|.Pv..X.|.Pv..T.|.Pv..X.|.RichY.|.........................PE..L....d.P...........!.........................0...............................`.......U....@.............................N.......P....@...............".......P..0.......8...............................@............................................text...I........................... ..`.data...T....0......................@....rsrc........@......................@..@.reloc..0....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):15536
                            Entropy (8bit):6.387123377633282
                            Encrypted:false
                            SSDEEP:384:o7bQBb2UPNpW4AN5WuZBMnC0GftpBjpTqp:oIbzFmyiip
                            MD5:FCC0FB3C183027C9FEDB62AC25AF9F58
                            SHA1:31066AAE191B46EB698DC109001A7B9585C7FB9F
                            SHA-256:9E40C9907FACC3AE387A4948D2E9A28CF46A1B76601511627FE6A6C1D1307BBD
                            SHA-512:EF4C7D811390B7FA5E781C92FC47B259883634CD2DB1D9B211572FC77C99B699D5132CE962D183B784B192C211396E4854C6448B04C1CC1117691B339865560C
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.AY.|.Y.|.Y.|.~...[.|.Pv..\.|.Y.}.|.|.Pv..X.|.Pv..[.|.Pv..X.|.Pv..X.|.Pv..T.|.Pv..X.|.RichY.|.........................PE..L....d.P...........!.........................0...............................`......=O....@.............................N.......P....@...............".......P..0.......8...............................@............................................text...I........................... ..`.data...T....0......................@....rsrc........@......................@..@.reloc..0....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):15528
                            Entropy (8bit):6.386752778069314
                            Encrypted:false
                            SSDEEP:192:NwkbQBTV3XGt+wCXdOWBuN5WzojFU49LP0nWxs/nGfe4pBjSjYi:N7bQB92UPNOWBuN5WuFMnC0GftpBji
                            MD5:8430C591B95A0F610174028C94590915
                            SHA1:3334723C8F4217960B2EE897FDDF4E633656939D
                            SHA-256:AD4E47AD1B6E9E5EF0A76CECCF11AEB37AE6C09036763811790EB7EDF45A2E48
                            SHA-512:B40924054CC877BDF8BB523EFC60DAB54F2F543A33E21B92EE9B7FE6C4603B02BA27C319F9FE7285B627E5C501597761517EBB7D132134BFAF77D6E686624CC3
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.AY.|.Y.|.Y.|.~...[.|.Pv..\.|.Y.}.|.|.Pv..X.|.Pv..[.|.Pv..X.|.Pv..X.|.Pv..T.|.Pv..X.|.RichY.|.........................PE..L....d.P...........!.........................0...............................`............@.............................N.......P....@...............".......P..0.......8...............................@............................................text...I........................... ..`.data...T....0......................@....rsrc........@......................@..@.reloc..0....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):378072
                            Entropy (8bit):6.315928496615918
                            Encrypted:false
                            SSDEEP:6144:T6Cdhj/QQE94WAja85YxWQii1IBT4RvSG+FsOchO+t3R:uCnjohdSd6WQl1IJ4Rmw
                            MD5:77A745B9C26ACCABF98218D5942EAA19
                            SHA1:29ADEF32998E80C2736FCC816ACCF9F207A5D7A6
                            SHA-256:A41D677F0F0F1CCC1A49E9EC776CECE17EA015B115D9E799128F3FF943924064
                            SHA-512:E35E12F38CCC463F7933ACFF24CAB9B1D08FF69F951118689D0D7072191A80C912CFF5E939E45B6348DF14EC93DF94636A15EBAD449111F65D13367BD72FF1A9
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y,..=M..=M..=M.....;M..454.?M..452.8M.....6M..=M...M....1.?M..#.#.8M..45$./M..45#..M..455.<M..453.<M..456.<M..Rich=M..........................PE..L....{:Q...........!................c........P....b;.....................................@..........................=......DA...................................@......8........................... ...@............ .......>.......................text...Y........................... ..`.rdata..l*... ...,..................@..@.data...d$...P..."...<..............@....rsrc................^..............@..@.reloc...@.......@...j..............@..B........................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):330360
                            Entropy (8bit):6.528015153785932
                            Encrypted:false
                            SSDEEP:6144:JRB24SfaVGWtWyyr7Xo53wSTWu6Ibj3mNF/lGH0IebN469wFwY3XzChO8U4yC:JyAgWtWyI7XaAsuO3mLlm0ICCwY39C
                            MD5:F96DE7533E0E5F8F1692D49EE25149B5
                            SHA1:372205709C4D16A31086CF6CB78E36773465C892
                            SHA-256:93D5CEF72875FE841309550A1EEDDFD0EFDA95515E60B002871A426A2AB57EC3
                            SHA-512:88778F53A51C447FD0FB9433EDA3E9149CE3F5E7788765ACD0BE117C4FF47A44A646DC9A3782D3F9592D25CBCF89695389D477E985CB561B027BDE907DA44C60
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...........{B....(LG.....{D...................7...QU.....{U.....{R.....{C.....{E.....{@....Rich...................PE..L......Q...........!.........F.......W.......P....s;......................... ......o ....@............................7...|...x.......................x........(......8........................... k..@.......................@....................text............................... ..`.data...8...........................@....rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):45728
                            Entropy (8bit):6.408659815115089
                            Encrypted:false
                            SSDEEP:768:6CbM2w2UZJFXXH6I0G2jY5E6QaItPY3OI/wvH70D0SFsKgy3Z6ehOpl+YLBKRviE:6CbM2w2AHXH6jRiJQaItPkOQ2H3Kgy3j
                            MD5:9A384587D2BB88F7646DF38B5D3E3BA9
                            SHA1:86A8CF4EAFCF4C06B5CF9C386CF2A1D060241557
                            SHA-256:D115E00BAEDB223618B7BCFAD132145C4F75882873D9D93BFD5439F4C38745E5
                            SHA-512:23CF2678259CFCB68697C39CD7A92A6FF2D26204C06BCCD63CE864F97B7F2291D540AF74E0C5E52C8189A8679E285B724CC24A917FE1DBA5C2DC9BEFEE0CB5FE
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.I.~.'.~.'.~.'.YtJ.|.'.w..z.'.......'.w..|.'.Yt\.s.'.~.&..'.`...'.w..k.'.w..n.'.w....'.w....'.w....'.Rich~.'.................PE..L......Q...........!.....|...........t....................................................@..........................}..r...p...................................@.......8...........................H...@...................`~.......................text...;z.......|.................. ..`.data...............................@....rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREDST.TXT

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):27
                            Entropy (8bit):3.8245387807277744
                            Encrypted:false
                            SSDEEP:3:PI6qNSv:gTSv
                            MD5:06604F6AD34FA0BA04E2F785E32367F5
                            SHA1:ACBEC35E882A65F00A8BB920BB4B00DE5476CE85
                            SHA-256:FEC7F297B0B41C1F85A4E0294BFF35E8794676187F596A330EDCB1D4C3D1F26D
                            SHA-512:65EA5C139EB13102B6D180DDE5B7AD9E9DEF494C053036CDA4EB6CB6D43FD24B6E9433BA7F4162470A50BFB286EEDD71E2A5B8EEBAE7BC83E62983D1A2E2D2D2
                            Malicious:false
                            Preview:AccessDatabaseuser.exe ..

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):528536
                            Entropy (8bit):6.3738351759493375
                            Encrypted:false
                            SSDEEP:6144:S/ppiNu2t7mAd+eFtdOFQtA/yeEB89Ofdy7MwK95kJnUyMc7R+vAXyyCrcM1qrUr:2biNvsAwcj40ymOuFc7RxCyCErU8k377
                            MD5:78E16C3A5C1E7A87D6B977925229DA1E
                            SHA1:1353DCFE050D3A5A504905F076109A16F94CE319
                            SHA-256:BC764A22174A80E4FE3719C82AE8267667CD842FE25835D5CE57FDD13C425CDD
                            SHA-512:6541AB0E5DA968FDD762853F5B2961BCC0623ECA7BAB43597AAF191A84AAD072AB41E5254185103617356611C4BAAEE81D780B7A44CA66C7EB47DD5173188C71
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............nn..nn..nn......nn.I!...nn......nn.....nn.....nn..no..nn..<...nn......nn......nn......nn......nn......nn.Rich.nn.........................PE..L....Y"Q...........!................H}............X;.........................@.......*....@.............................[.......x................................Y......8............................i..@...............H............................text............................... ..`.data...L+..........................@....rsrc...............................@..@.reloc...Y.......Z..................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):221304
                            Entropy (8bit):6.330477703077784
                            Encrypted:false
                            SSDEEP:6144:MtcXGBwrKGK/bCzKJ7h5LJAAtH/4Ya1W2/Tb4HGHwQfkptipBWOdMy:bK5LJAAtH/DaIUTb4HGHwxptipay
                            MD5:08F1F4B2DCD23BEF2747F74E2960AA2D
                            SHA1:B0FC858A114DC2CC3759D6962F382A583C123A48
                            SHA-256:5186673CE46BA50CB54DD0199694EBFAA068EB6E741863C45E25E34973192723
                            SHA-512:BAA89D690C516682E973C68916BC72009571CCB034CA64549626042E77AF7309F60C1C788CFEEDB71FC058578978EDCB54AC82925405B2CD6CEBB5CF73F5A22F
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..p...p...p...Wa..q.....I.q...y.J.y...y.L.w...Wa..z...p.......n.[.q...y.\.@...y.[.}...y.M.q...y.K.q...y.N.q...Richp...........PE..L....Y"Q...........!...............................;......................................@.........................`...7...X........................F..x.......p.......8...........................@T..@.......................`....................text...)........................... ..`.data... y..........................@....rsrc................"..............@..@.reloc..p............,..............@..B................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3049376
                            Entropy (8bit):6.470431761306206
                            Encrypted:false
                            SSDEEP:49152:JQN5vwiZx58ASCJJWS97gYQc4gyNTLyTv+hFBrGk9GOva2+GmfKmfHIkPy+TL:uN5oiv58ASSWTYQceNXyTGhF1v9xvEG0
                            MD5:A6F5ACA8DAB5FF8B8EAA26F060336C8E
                            SHA1:46F56E11562121064A85EA9CA3DE07FB9FA7A108
                            SHA-256:4A95B48D8FA6F9F19F687A3D816C60A4FE1BA445920F012ADBF264D3789BAF99
                            SHA-512:F5C6AB9683A718ADFB9F59536D3BDE316D2B132FCBD01AA2D9FEC91F88F937D557699601D79C8CA84121C52FAF7C4C6F54F80AD02FDAC1DD2E6C21BA7EC84F09
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W......................[...............].......L.......K.......Z.......\.......Y.....Rich............PE..L......L...........!.........R.......#.......0.....;................................i./...@.........................l(..8....(..<....................p..........<...\,..8...............................@............................................text............................... ..`.data...4E...0...B..."..............@....rsrc................d..............@..@.reloc..<............l..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):247424
                            Entropy (8bit):6.677359751177031
                            Encrypted:false
                            SSDEEP:6144:fCTBJA9eLw8FwIe8SERItIWwV1pI5Ol6xgnimI4aOkg5Q:fCTrA/fER+IWsYoWN
                            MD5:50AD01A0EF7C6BFF0AA190A7A838EBFE
                            SHA1:5F2C203AB133919481DEF938B23C7BD3E17DE576
                            SHA-256:061A7F953F84D42C7202F23F732B12D7FA7F7B3B48A1A7540F02D48FBE829DAD
                            SHA-512:47694BE304D7000987950B549FDAD5F9470DB7DB74307DD97DE6FF2C431919F9DAE6A0B80DA4B8E8FE778966FDF1F7001E6F33624849030782BD1812F7ACB7D8
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7..7..7.....7..e..7..O..7..7..c7...x..7..O..7.....7..O..7..O..7..O..7..O..7..O..7..Rich.7..................PE..L.....P...........!.....x...F...............@.....4................................X.....@..........................|..7...@|..........|.......................P...`...8...........................X~..@...............4............................text....w.......x.................. ..`.data....!...........|..............@....rsrc...|...........................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):363656
                            Entropy (8bit):6.387492405605909
                            Encrypted:false
                            SSDEEP:6144:Ba+A2LYyMkREoZWeKv2v0gKrytCIKHoijYKskUVCrMLONGfKLf:I+d4oZKvQSUCIKIijYHkUVC4t6
                            MD5:4F75717682E24C330FC20601DFECB626
                            SHA1:2FAB3C36F51D0E9447F6C46F4B67C4168180F655
                            SHA-256:2B7AE1E68F41AFD8CE095E7A01BB1DC9C6C5829E2568CEB2C1F3174971371C26
                            SHA-512:1FC3CDA0B6FCCB6E8F8A0254199A270FAD27E22AB57FDFE242E81B085B032AFEDB0312DBA07C6FC2F92986F5614AAF35B04BED8A355144AB252E7E9168687752
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.?RD.lRD.lRD.l[<$lWD.l..!lSD.l[<"lZD.lu..lXD.lRD.l.D.lL.3lSD.l[<4l.D.l[<3lYD.l[<%lSD.l[<#lSD.l[<&lSD.lRichRD.l........PE..L....Y"Q...........!...............................;......................................@.........................x...7............................r..........`*......8............................4..@.......................`....................text...u........................... ..`.data........ ...4..................@....rsrc................<..............@..@.reloc..`*.......,...F..............@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4300456
                            Entropy (8bit):4.692926232602364
                            Encrypted:false
                            SSDEEP:49152:RIfV1YrNP6+Au5qgWib0X9+njNWH+rqhM1u:JNP6+Au53s
                            MD5:A026BD4085C0E933A57E1B81840DDD83
                            SHA1:8DB011A089F5DC894E0D6BE353B2A7B6A6770180
                            SHA-256:0E48323B8BF92687C0FE7C5ED6D44C51A189C5D5C745A717A60D6444769AB735
                            SHA-512:4330036068B6A6F2D09B94E286B472BD17DF0B10130CC69AEA6C579FEA56DCC523053D13CF91F09BE6432D48F9BBCDE718BCFDB9659AAF6A127E282E9FE1DC24
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W...W...W...^|R.V...^|T.V...^|Q.V...RichW...........PE..L.....\Q...........!..........A...............................................A.......B...@.......................................... ..`}A...........A.................8............................................................................text...............................@..@.rsrc...`}A.. ...~A.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):454744
                            Entropy (8bit):6.623858457452539
                            Encrypted:false
                            SSDEEP:6144:PG3LPMCteJXH2n3zvAWrqopaNIBOH7ELUFqtcFAOWOMyU+p0c2aZ5:PuMCEJXH2n3zYWrqopaNQO4L5cFxMBo5
                            MD5:7172970EFFB3EA5600B53D5905566ED0
                            SHA1:E7CC72236B92EC0E7B922FDFF24A589F6D3C38BC
                            SHA-256:8AD6D1CF04A4E15B5F4EB348E9FB6CEE7224B64ED277FE38FAE3DE3EF60614D9
                            SHA-512:50C141B2ABE027E323F55F2BC64BA9FBFFE97724B12BD2E4D2EC286E19903402A677009C6026D9201930483CBE1F3E9454D36CCDA7D2C2D45B15E783066EE6E1
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,a..B2..B2..B2.'/2..B2.'92..B2..C2..B2...2g.B2...2..B2...2r.B2..2..B2...2..B2...2..B2Rich..B2........................PE..L....}oP...........!.........b......=y..............................................QH....@..............................N...w..x.......................X........=.. ................................................................................text............................... ..`user.............................. ..`.rdata..*8.......:..................@..@.data..../..........................@....rsrc...............................@..@.reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):101992
                            Entropy (8bit):6.764942652670399
                            Encrypted:false
                            SSDEEP:3072:vCbtJGyYsLBzrBQ4COc5JnvkmQaAanZ/Q4doCFh:vCX9J45JnMZv8Nndx
                            MD5:F7BA3446A6AA42E3A38597CC8E826C79
                            SHA1:BE10FDB8F859D8BE803F5E6FA340358119D3C94B
                            SHA-256:BAAE2E026C83CC200281775C58FAF1275BF26B26C2C54FBE440654EB0D9F49EF
                            SHA-512:E3C289FDF1D14915924935310D2125CFE103B06001D2A1990FBE0EBA73B1AE4D88788996B095124FF600DC191BCB5DDAA436BE9F1B9D91A7F5534272EB818EDF
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...g...g...g.?.g...g.?.g...g..Cg...g...g...g..Eg...g..Sg...g..Dg...g..Tg...g..Bg...g..Ag...gRich...g........................PE..L....;"Q...........!.....Z...........V.......p....nE......................................@..........................^..U....^.......................t..h...........hh..8...........................p-..@...............8............................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc................`..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):59480
                            Entropy (8bit):6.466894019333764
                            Encrypted:false
                            SSDEEP:768:Z4k7DZkKQ38fUVRTAQI/CCRWS6VS4+rXxuoLxvzypmLT0gEYTRFraQ6F0Ji6Fr:Z4kq5MUXAQIWfS5xuxmdEIRh6qJx5
                            MD5:459538285FB66B0820B85FEE5DCF21A7
                            SHA1:A0E395814A16DDD24F075289CC165683070ED88D
                            SHA-256:A67A97299D5348A12C7088A1EE9AF304E29F8B7157C9E99E41DBC4691CCEEA00
                            SHA-512:553339C94A627C87803D263AB038C4A649C11562434974DCBC1899229082636949944A298EA88033D8319D395A20EED3FA8D2EFFD021E904780F5F9EE434109D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.G.I.G.I.G...G.I.G...G.I.G.1lG.I.G.I.G.I.G.1jG.I.G.1|G.I.G.1kG.I.G.1{G.I.G.1mG.I.G.1nG.I.GRich.I.G................PE..L......Q...........!................D.............pE......................................@.........................L...U.......x.......................X.......,...T...8...........................8=..@...............,............................text.............................. ..`.data...`...........................@....rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):18635968
                            Entropy (8bit):6.539176807452944
                            Encrypted:false
                            SSDEEP:393216:C44GrbHDqV/9mMAfsN9g8TPUNsmjdqUDNbwGgmS1iGm9:JrbHD0lAfsGs4qUYn1i1
                            MD5:AB4FE7E4B1B1B845D789EF6C30FCA1FE
                            SHA1:75B383A6614AF9ED11845AC0A85A041C3E99D352
                            SHA-256:D6DB37FC839B1107BC77E77853FB784B2CDC34AE2A832625C07A0A973DE40A34
                            SHA-512:ADC5CBF8980ABAB8B437B23D850195FC5DD6C034AB5F69B597D4A011AA16B699C15C4A79F3BCA2C1B2A9B5AE503AE474DDC8974D787E9F31ADCD14341ADC8A92
                            Malicious:false
                            Yara Hits:
                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL, Author: Joe Security
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 3%
                            Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........,...BO..BO..BO..,O..BO...O..BO/..O..BO...O..BOQ."O..BOQ..O..BOfy/O..BOfy?O..BO...O..BO..9O..BO..CO..BO...O..BO../O..BO...O..BO...O..BO...O..BO...O..BO...O..BORich..BO........................PE..L......Q...........!.........Z.....................9............CS P.........p............@...........................=.=...l............^...........B...........i..x...8............................E..@...............T....".......................text............................... ..`.data..............................@....rsrc....^.......^...z..............@..@.reloc...i.......j..................@..H................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):72524600
                            Entropy (8bit):5.149821660145504
                            Encrypted:false
                            SSDEEP:1572864:KdbWo7aLKb7YF+w6chhnOS6seHKOeJjM1:Kdb26chhnOS6seHKOeJjS
                            MD5:76A5DB2B33E75128AE6309AE68A5D0A2
                            SHA1:E32DF1A8085470B11E2698D18B05A117085E91B8
                            SHA-256:A52D5F708C57B2C89791294DE5032752D61CF11F1B43286B4B25350181F5928D
                            SHA-512:A17AFD1E66CADE1F9A54F87AF8189879EC481A5195D72C4401A184728CD2BC24035279650AB75CC24421768D19D4540A2DF94895D14F6D6A1EA549A404534F26
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..W...W...W...^|R.V...^|T.V...^|Q.V...RichW...........PE..L...X4.O...........!..........R...............................................R......NS...@.......................................... ....R...........R.8...............8............................................................................text...{...........................@..@.rsrc.....R.. ....R.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):50272
                            Entropy (8bit):6.391215711621637
                            Encrypted:false
                            SSDEEP:768:PM01KG+65h6tpjPnqV93Pmx/QobMlzdUMR2Xi:pK+r6tp2V9P6Qi2R2X
                            MD5:AAC786999127BF644763C8422EBF0C24
                            SHA1:469CA9350E75053FD58B8C99B62B926AFB40C815
                            SHA-256:57DD378C031D5699015EE4CC510A35693C08C231F4D4B14754B44D1D13CB8C48
                            SHA-512:D19BAC1D142AEC1608817C097573A67A4EC209CE4622B9D691E28C10A5D5BE330A0CB99EA45A20C65F8F466B3E4B897F4FCC456846618051E2C6C8197E9759AB
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ko../..B/..B/..B...B,..B/..Bc..B&v.B?..B&v.Bf..B&v.B5..B&v.B...B1\.B...B&v.B...BRich/..B........................PE..L...+}oP...........!.................*..............................................3.....@.............................f......(.......................`...........0...............................@#..@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXE

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):149352
                            Entropy (8bit):6.5641450191049735
                            Encrypted:false
                            SSDEEP:1536:vC4QOL26NOd32mM6X/pGzd4t/qcarbwNfQ8WfQJ+ItkbKR2zy2IoN7Zo86eAI0UV:K4QgNOd3z44Kw6JrokFyF5Zat/Vq09oi
                            MD5:9D10F99A6712E28F8ACD5641E3A7EA6B
                            SHA1:835E982347DB919A681BA12F3891F62152E50F0D
                            SHA-256:70964A0ED9011EA94044E15FA77EDD9CF535CC79ED8E03A3721FF007E69595CC
                            SHA-512:2141EE5C07AA3E038360013E3F40969E248BED05022D161B992DF61F21934C5574ED9D3094FFD5245F5AFD84815B24F80BDA30055CF4D374F9C6254E842F6BD5
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.P."..."..."......"......"..."..."...Zv.."...Z`.."...Zw.."...Zg.."...Zr.."..Rich."..................PE..L....TIK.....................N......r?.......0...............................p............@..........................................@..0............0..h....P......`...8............................>..@............................................text............................... ..`.data...............................@....rsrc...0....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\MSECache\AceRedist\1033\AceRedist.msi

                            Download File
                            Process:C:\Users\user\Desktop\AccessDatabaseuser.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Access database user 2010 (English), Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Access database user 2010 (English)., Template: Intel;1033, Revision Number: {05CF0009-88BA-4D1A-86DA-5DE0B6FAEFF2}, Create Time/Date: Fri Jun 28 21:35:44 2013, Last Saved Time/Date: Fri Jun 28 21:35:44 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
                            Category:dropped
                            Size (bytes):26697728
                            Entropy (8bit):7.981418003582255
                            Encrypted:false
                            SSDEEP:786432:EMOfoJ3okLTpKIoxfaMnWGcMxBWH9m18:J4o6kLTpMXvBWHA18
                            MD5:85A6869262CE6A071BE66989351D7633
                            SHA1:A1FE61869A4323CCA082E736AFAD9C6838BF0EDA
                            SHA-256:AA7593A82BDE2B70B91AE1DA1EF70CE46CDA0D619BD86B08DA133755B93A9B5D
                            SHA-512:51FBD64BE2B7E491AC74FAB36D87FD06052E25C179631D8B6CEC8061462D01441B4F7B49C053EA69CA243C1EBBF9A7B6B3F727E502273ED9F53D1860CBD00F73
                            Malicious:false
                            Preview:......................>............................................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6.............................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                            C:\Program Files (x86)\MSECache\AceRedist\1033\Catalog\files14.cat

                            Download File
                            Process:C:\Users\user\Desktop\AccessDatabaseuser.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3285039
                            Entropy (8bit):4.9500464410734555
                            Encrypted:false
                            SSDEEP:24576:ZQ77OddddddddddddddddddddddddddddddddddddddSneHXjj/BMtb117XYUb0n:Kpcn
                            MD5:8ADA3622562B9A7607E68CEC0BB2D6E7
                            SHA1:8CFABE3FB2EC018D5657465B0992A5C2F95CDB8C
                            SHA-256:0A4075BFA646C1F7B902FFB644AE179DE74A141090C54089A1EF948D83169B63
                            SHA-512:9C34774912379231961B6EFC9DD26A4770F2779AB9011E3F8CFF5FB6DBD7C4BB14216F0A92AD6E97E8100881DA113545AAE362D60D0CD7A46C4FFBCC7E74E4A9
                            Malicious:false
                            Preview:0.2 *..*.H........2 .0.2 ....1.0...+......0.2.?..+.....7....2./0.2.*0...+.....7...... ...:M....lj.C..100428202918Z0...+.....7.....0.2..0....R0.0.1.7.8.9.5.0.6.7.F.2.A.A.4.4.C.3.9.3.1.5.6.9.5.8.7.C.A.C.F.4.2.A.F.6.A.1.8.E...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........Pg.D..iX|..*...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.0.2.6.E.3.7.4.9.6.6.8.0.E.1.1.9.1.5.0.C.2.4.3.3.C.0.1.D.C.A.7.A.F.0.8.C.7.A.3...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........&.t.h...P.C<.....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.0.2.6.E.3.7.4.9.6.6.8.0.E.1.1.9.1.5.0.C.2.4.3.3.C.0.1.D.C.A.7.A.F.0.8.C.7.A.3...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........&.t.h...P.C<.....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E

                            C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:MS Windows HtmlHelp Data
                            Category:dropped
                            Size (bytes):433434
                            Entropy (8bit):7.960697988910112
                            Encrypted:false
                            SSDEEP:12288:HSzxpydHm8dwmsYDI+NuZydfUzmtH+dKL:HSzcbdwvYDI+YZydfUCtOKL
                            MD5:89920DC13154BE087439A2935B0C78FD
                            SHA1:3FF745F432C62D95E492F502BA40E2A9D0DE182A
                            SHA-256:16D7794BC0D43F8C8CAD61F6FD431B168026BD4B369E06ED8125C5D1A6B5FE88
                            SHA-512:5416B87CCEE34A044D8054410073B8DC2FC145587872E22CDF0B8B92EDCBC79DAE2E94A420CD8CD7B94B5ECC4F4D5763FD580A100C52EE82D7FAC1B24E721DB4
                            Malicious:false
                            Preview:ITSF....`........c........|.{.......".....|.{......."..`...............x.......TP.......P..............................ITSP....T...........................................j..].!......."..T...............PMGL4................/..../#IDXHDR....../#ITBITS..../#IVB...`.l./#STRINGS.....N./#SYSTEM..F.4./#TOPICS.....0./#URLSTR....}./#URLTBL...9.d./#WINDOWS.....L./$FIftiMain......v./$OBJINST...T.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...P../$WWKeywordLinks/..../$WWKeywordLinks/Property...L../html/..../html/About_HP10355287.htm...h.w./html/AbtAData_HP10355320.htm..._.../html/AbtConst_HP10355217.htm...h.0./html/Abtdocl_HP10355230.htm......./html/aChrtXl_HP10355274.htm...*.! /html/AddMVChoice_HA10355234.htm...K.. /html/AddMVLookup_HA10355235.htm...a.`./html/AddRC_HP10355236.htm...A.../html/AdEdCC_HP10355237.htm...P.../html/AEDdata_HP10355238.htm...[.6./html/aExpAx_HP10355300.htm.....1./html/aExpDtsh_HP10355221.htm...B.../html/aExpXl_HP10355375.htm...S.:./html/AppFil_HP10355241.

                            C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):88464
                            Entropy (8bit):4.038953430996915
                            Encrypted:false
                            SSDEEP:1536:lmNeNT+YcuUhOojh+O0uHkpCnLye4sKjthM+9rHUM:cNeNEhOeFtLAsOthM+9oM
                            MD5:528DE8FCB5FBBE1D23AD4D37270BEC2E
                            SHA1:AB50FC129D8E8D6240E8A35971AA862E66449F57
                            SHA-256:338DED3648ED5133370FBECECF7A3C216A58173CDB956F1A9321E11E610EBC19
                            SHA-512:B832FACB8939D4FA9A8E2A41E59F0237BCAB891CD30CB3F03332A5679E8D310214EDAF2DA89B3E6F66DF662000FF0FCBAA2D5BF9719175819E80492A787BEE82
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L....8.K...........!.........@...............................................P...........................................................?...........B...............................................................................................rsrc....?.......@..................@..@............................................................0.......p....................................2.......2.......2.. ....2..8....2..P....2..h....................,.......,.......-..........................................................(.......@...l...X...m...p...n...........................................................0.......H.......`.......x....................................................... .......8.......P.......h...............................................................(.......@.......X.......p...

                            C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2834128
                            Entropy (8bit):6.510797306685462
                            Encrypted:false
                            SSDEEP:49152:j+2DNcxkwEDYFw3Di+hdwwQEEKLHz0InJQz7R7WTGSw6m:VWk1Z3LSKLHJnJytWNw
                            MD5:9E1216ACA980D400BDFF51E8458A8ED3
                            SHA1:38396E25F505D4AB4FB481FAB59605F3BF87098B
                            SHA-256:D2F62D557485399B6D3544B3023BDDFA89D71A3A69F881E41381591A7A2D23DD
                            SHA-512:473FB5700490519E9DD878203947E0AB328299DE77F75922216478251EA0205CB4ACBDC76B840559C20685BE5363F7633218D80D54CACF8F2F97CBE23B9D7BC8
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J..$..$..$.....$.....$.X....$..qI..$..q_..$..$..$..qJ..$..%.$.....$.....$....p.$.....$.....$.....$.Rich.$.........PE..L....{:Q...........!......"..................0%....>.........................`+......r+...@..........................i".....P{".......$..............$+......@).......".8...............................@....................n"......................text....."......."................. ..`.data.........".......".............@....rtext..L.....$......j$.............@....rsrc.........$......l$.............@..@.reloc.......@).......).............@..B........................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\MSI127D.tmp

                            Download File
                            Process:C:\Users\user\Desktop\AccessDatabaseuser.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):373312
                            Entropy (8bit):6.500188156806958
                            Encrypted:false
                            SSDEEP:6144:308k6+uFxagMpTZA/EvjkJLzF6bmXnYGWrsoa76AQ9UvFA:308vbyJ8LzF6bmXMsoK/QavFA
                            MD5:4572882DF9A2C11116522E7784F0E2BB
                            SHA1:140586DAACA44C40249B0D70DEDF0398193EA562
                            SHA-256:45C765CA08B371AB16FB45FE8EE469C4F77F4B935C5FD54D7CB48FBC34979E4F
                            SHA-512:C3FF748E6C45296CE15433BEC7E9A9AE619B5672D00E408E5889C470385D04CACD415A522DC2B2E70F1B5B75C7335A16AF5DDF238E719C53FCA44B2B3EA3C4F2
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+].Qo<..o<..o<..qn}.n<..fDl.v<..fDz..<......h<......m<..H...i<..H...N<..o<...=..fDk.n<..fD}..<..fDh.n<..Richo<..................PE..L...r..P...........!.....&...........T.......`.......................................N....@..........................".......&..........................@........6..D4..8...........................h...@....................$..`....................text....$.......&.................. ..`.data....G...@...6...*..............@....reloc...6.......8...`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\Microsoft Access Database user 2010 (0).log

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (498), with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):2376520
                            Entropy (8bit):3.75762839758351
                            Encrypted:false
                            SSDEEP:3072:m9jd+GLymcCbFj2GxV+NL+h5uW5mqbKngMpAjf81/vYT6gx+CiNr890VBFcpiT+G:ajjpiT+5jfo9hFMu
                            MD5:A95A669155942B284007F01CA295B2DB
                            SHA1:46C57B46BE4CFE48137042436127C1CAD743D264
                            SHA-256:90B363E80C0039C8E23D255AB7115F3F3864B3612688E8282504CECA665F8EB5
                            SHA-512:3290ACB6EF1B891382ACCA7430FB3775BB4C24E7B29F9B21DD6F81AF7B22E853A9A081BE0660F8F7A859EDE5FED8540C9443683BC941AE015AC7F304A4162975
                            Malicious:false
                            Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.5./.0.1./.2.0.2.5. . .1.0.:.2.1.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.D.e.s.k.t.o.p.\.A.c.c.e.s.s.D.a.t.a.b.a.s.e.E.n.g.i.n.e...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.8.:.A.C.). .[.1.0.:.2.1.:.0.8.:.0.0.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.8.:.A.C.). .[.1.0.:.2.1.:.0.8.:.0.0.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.8.:.A.4.). .[.1.0.:.2.1.:.0.8.:.0.4.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.8.:.A.4.). .[.1.0.:.2.1.:.0.8.:.0.4.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.

                            C:\Windows\Installer\594d15.msi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Access database user 2010 (English), Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Access database user 2010 (English)., Template: Intel;1033, Revision Number: {05CF0009-88BA-4D1A-86DA-5DE0B6FAEFF2}, Create Time/Date: Fri Jun 28 21:35:44 2013, Last Saved Time/Date: Fri Jun 28 21:35:44 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
                            Category:dropped
                            Size (bytes):26697728
                            Entropy (8bit):7.981418003582255
                            Encrypted:false
                            SSDEEP:786432:EMOfoJ3okLTpKIoxfaMnWGcMxBWH9m18:J4o6kLTpMXvBWHA18
                            MD5:85A6869262CE6A071BE66989351D7633
                            SHA1:A1FE61869A4323CCA082E736AFAD9C6838BF0EDA
                            SHA-256:AA7593A82BDE2B70B91AE1DA1EF70CE46CDA0D619BD86B08DA133755B93A9B5D
                            SHA-512:51FBD64BE2B7E491AC74FAB36D87FD06052E25C179631D8B6CEC8061462D01441B4F7B49C053EA69CA243C1EBBF9A7B6B3F727E502273ED9F53D1860CBD00F73
                            Malicious:false
                            Preview:......................>............................................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6.............................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                            C:\Windows\Installer\594d17.msi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Access database user 2010 (English), Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Access database user 2010 (English)., Template: Intel;1033, Revision Number: {05CF0009-88BA-4D1A-86DA-5DE0B6FAEFF2}, Create Time/Date: Fri Jun 28 21:35:44 2013, Last Saved Time/Date: Fri Jun 28 21:35:44 2013, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
                            Category:dropped
                            Size (bytes):26697728
                            Entropy (8bit):7.981418003582255
                            Encrypted:false
                            SSDEEP:786432:EMOfoJ3okLTpKIoxfaMnWGcMxBWH9m18:J4o6kLTpMXvBWHA18
                            MD5:85A6869262CE6A071BE66989351D7633
                            SHA1:A1FE61869A4323CCA082E736AFAD9C6838BF0EDA
                            SHA-256:AA7593A82BDE2B70B91AE1DA1EF70CE46CDA0D619BD86B08DA133755B93A9B5D
                            SHA-512:51FBD64BE2B7E491AC74FAB36D87FD06052E25C179631D8B6CEC8061462D01441B4F7B49C053EA69CA243C1EBBF9A7B6B3F727E502273ED9F53D1860CBD00F73
                            Malicious:false
                            Preview:......................>............................................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6.............................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                            C:\Windows\Installer\MSI51B9.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):28672
                            Entropy (8bit):3.741623752383387
                            Encrypted:false
                            SSDEEP:192:XOdG/6G4nnykxsdYZ+mrv2ySzLUHypLGgjuXFw5acHKBNtHjhuHWrkA9uBP1WWzT:P6GuZBrvkzAHyxxHKBdaA2dWWzm0ZH
                            MD5:85221B3BCBA8DBE4B4A46581AA49F760
                            SHA1:746645C92594BFC739F77812D67CFD85F4B92474
                            SHA-256:F6E34A4550E499346F5AB1D245508F16BF765FF24C4988984B89E049CA55737F
                            SHA-512:060E35C4DE14A03A2CDA313F968E372291866CC4ACD59977D7A48AC3745494ABC54DF83FFF63CF30BE4E10FF69A3B3C8B6C38F43EBD2A8D23D6C86FBEE7BA87D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........CnuS".&S".&S".&t.}&P".&S".&.".&t.{&X".&t.m&^".&t.z&R".&t.n&R".&t.x&R".&RichS".&........................PE..L...\..C...........!.....@... .......6.......P....@..........................p......I................................B.......=..x............................`......0...............................x...@............................................text....2.......@.................. ..`.data...h....P.......P..............@....reloc..<....`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI541B.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):321801
                            Entropy (8bit):6.215807727718274
                            Encrypted:false
                            SSDEEP:6144:4hrGH5MhIaO9j14yjSqLBzghDC8Ra23HuySnavx+5Xqp42Rl+iurVnWfVKXlyUTW:i4QC1wfHM7CJ
                            MD5:319358F76A33087C58F4963AB22420AA
                            SHA1:2714C23E786D49107488B7224D6C7A087CD194B6
                            SHA-256:D3A1C8AD28E57445D0F9895932BFA97B603ADEAF770DA0F01D32B6A3801F5930
                            SHA-512:D67C083DD738BE8886A92FECEAFF45A10A44A6FD78B52BBD9EAD3CE6EF2B0B44B1B320EDD9443C5B696FE7CB25D644216C8511EE8E2937A31BD255D90E558C0C
                            Malicious:false
                            Preview:...@IXOS.@.....@.R/Z.@.....@.....@.....@.....@.....@......&.{90140000-00D1-0409-0000-0000000FF1CE}/.Microsoft Access database user 2010 (English)..AceRedist.msi.@.....@g....@.....@........&.{05CF0009-88BA-4D1A-86DA-5DE0B6FAEFF2}.....@.....@.....@.....@.......@.....@.....@.......@..../.Microsoft Access database user 2010 (English)......Rollback..Rolling back installation..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@!....@.....@.]....&.{398E906A-826B-48DD-9791-549C649CACE5}E.C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL.@.......@.....@.....@......&.{A6D1C76C-5B2F-4D54-8682-95738E88B3AC}<.C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL.@.......@.....@.....@......&.{88D5AF78-19C6-4D47-B4EC-5BAF83D02E92}I.C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL.@.......@.....@.....@......&.{1CDB09B8-58BA-46B5-B334-0F38167D3AC1}H.C:\Program Files (x8

                            C:\Windows\Installer\MSI542C.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):152064
                            Entropy (8bit):6.508790784114524
                            Encrypted:false
                            SSDEEP:1536:KJS28uK6Gf6oGFDrJMxiPXzr8iOE6uqR4JjAK3Xf5n4TbTwzx/JQ5jR1bQlWkjWt:wSMtlFCuU4F3tM1wWkaUfHM64kQ+
                            MD5:33908AA43AC0AAABC06A58D51B1C2CCA
                            SHA1:0A0D1CE3435ABE2EED635481BAC69E1999031291
                            SHA-256:4447FAACEFABA8F040822101E2A4103031660DE9139E70ECFF9AA3A89455A783
                            SHA-512:D5216A53DF9CFBE1A78629C103286EB17042F639149C46B6A1CD76498531AE82AFD265462FBE0BA9BAAFF275FC95C66504804F107C449F3FC5833B1ED9C3DA46
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............V&......V0......................."....V7......V!......V'......V".....Rich....................PE..L...Z.;J...........!.........`......W........0............................................@..........................$...............p..............................................................X4..@............................................text............................... ..`.data....;...0......................@....rsrc........p......................@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI547B.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):264816
                            Entropy (8bit):6.603718145708859
                            Encrypted:false
                            SSDEEP:6144:oHZrr0HLZ11JK2YjtjiLCgYGdGgD396qdRS:oHZrrAt1DKvp+LRYGdPDH7S
                            MD5:DBC010FC3F00557C0CF08637F2B03B3F
                            SHA1:1FFAA7637BADE6A30371E6DA473E3CBC8EABCA6E
                            SHA-256:54D8AC05A1C448C3A24148C8C70804770AB43C1A3968A2FB6670A5652B77A873
                            SHA-512:C37BCF6B916B4194BC41177DDB93016177F5A50276624BE3F6426FC9DD1725C3DE29A797181959C35FDD114A722AB5A1B80E485E93141628A6B25F6B8AE772CD
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........gK..4K..4K..4U.^4L..4B.O4\..4B.Y4..4lQ.4I..4lQ.4R..4K..4m..4B.H4J..4B.N4J..4B.^4&..4B.K4J..4RichK..4................PE..L.....P...........!.................L.............A.........................P......I.....@.........................\...|...l...........................p.... ...#..8...8...........................H...@......................`....................text.............................. ..`.data....W..........................@....rsrc...............................@..@.reloc...#... ...$..................@..B........................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI5612.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):152064
                            Entropy (8bit):6.508790784114524
                            Encrypted:false
                            SSDEEP:1536:KJS28uK6Gf6oGFDrJMxiPXzr8iOE6uqR4JjAK3Xf5n4TbTwzx/JQ5jR1bQlWkjWt:wSMtlFCuU4F3tM1wWkaUfHM64kQ+
                            MD5:33908AA43AC0AAABC06A58D51B1C2CCA
                            SHA1:0A0D1CE3435ABE2EED635481BAC69E1999031291
                            SHA-256:4447FAACEFABA8F040822101E2A4103031660DE9139E70ECFF9AA3A89455A783
                            SHA-512:D5216A53DF9CFBE1A78629C103286EB17042F639149C46B6A1CD76498531AE82AFD265462FBE0BA9BAAFF275FC95C66504804F107C449F3FC5833B1ED9C3DA46
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............V&......V0......................."....V7......V!......V'......V".....Rich....................PE..L...Z.;J...........!.........`......W........0............................................@..........................$...............p..............................................................X4..@............................................text............................... ..`.data....;...0......................@....rsrc........p......................@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI6F58.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):152064
                            Entropy (8bit):6.508790784114524
                            Encrypted:false
                            SSDEEP:1536:KJS28uK6Gf6oGFDrJMxiPXzr8iOE6uqR4JjAK3Xf5n4TbTwzx/JQ5jR1bQlWkjWt:wSMtlFCuU4F3tM1wWkaUfHM64kQ+
                            MD5:33908AA43AC0AAABC06A58D51B1C2CCA
                            SHA1:0A0D1CE3435ABE2EED635481BAC69E1999031291
                            SHA-256:4447FAACEFABA8F040822101E2A4103031660DE9139E70ECFF9AA3A89455A783
                            SHA-512:D5216A53DF9CFBE1A78629C103286EB17042F639149C46B6A1CD76498531AE82AFD265462FBE0BA9BAAFF275FC95C66504804F107C449F3FC5833B1ED9C3DA46
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............V&......V0......................."....V7......V!......V'......V".....Rich....................PE..L...Z.;J...........!.........`......W........0............................................@..........................$...............p..............................................................X4..@............................................text............................... ..`.data....;...0......................@....rsrc........p......................@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\SourceHash{90140000-00D1-0409-0000-0000000FF1CE}

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.162437607983155
                            Encrypted:false
                            SSDEEP:12:JSbX72FjioSAGiLIlHVRpiBh/7777777777777777777777777vDHFOV5Wrgp7lN:JiQI5AXDF
                            MD5:CE2A95E3A656C4A0A8369401EE084AD6
                            SHA1:9E8732441368440EA200BD3756FDAEE05A3703BC
                            SHA-256:97E551DEF94C8092723641506B56D53E225DFBC15C5C07679C35DC8B54C69EB5
                            SHA-512:89668E33C29FFD2B8B4CE5BE11BE5F7E6751B918D1D2830575BEEBAB5F8FE83060CFA8C61CCA7F23DF80CB130DC2F47FEDE749DCAAFFFEF57A38C4AE0997ACB5
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\inprogressinstallinfo.ipi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.5604504441426843
                            Encrypted:false
                            SSDEEP:48:S8Ph5uRc06WXJKjT5jCdBT1GETkfAdCCS5kY2AdCCSIOpnT1G:9h51BjT0JGETl6UJG
                            MD5:C5DBA15B32B5A590393A08805AF882ED
                            SHA1:5339F2701C5A120834F54F0E9E9358F3786EAF50
                            SHA-256:780FD584EA798356B93959515685C4773B458413D789D92BBFC5F0E73C05D7C8
                            SHA-512:8F5E87786C8D8CBDEF25F825C8C1BB1C9401EDFA97592E0655B30CA936AB19AAE84742267F25FDE76BDEE383760AB75E6865309C8779AD908DB975C4F0426140
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):360001
                            Entropy (8bit):5.362989231433142
                            Encrypted:false
                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauQ:zTtbmkExhMJCIpEx
                            MD5:5FB760DAC1CF709A6947BB4CA9485E6A
                            SHA1:9D82FC382C76C484D5864F30998733715ED882C8
                            SHA-256:205691E2C1A9C76FD72D4F08CEF9693D88E5F7ACC50C123ED7558B702F8E01D5
                            SHA-512:CDBAA1E6AFA73C6486FCB9042F768F28D66D7440AEFA6327188C554162F3766047DE8EFCE88CC4C2E20AB018EE942AD7D4180670CFBE04AD2A3FA140302C01E9
                            Malicious:false
                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                            C:\Windows\Temp\~DF0263B061B23F3CE7.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.5604504441426843
                            Encrypted:false
                            SSDEEP:48:S8Ph5uRc06WXJKjT5jCdBT1GETkfAdCCS5kY2AdCCSIOpnT1G:9h51BjT0JGETl6UJG
                            MD5:C5DBA15B32B5A590393A08805AF882ED
                            SHA1:5339F2701C5A120834F54F0E9E9358F3786EAF50
                            SHA-256:780FD584EA798356B93959515685C4773B458413D789D92BBFC5F0E73C05D7C8
                            SHA-512:8F5E87786C8D8CBDEF25F825C8C1BB1C9401EDFA97592E0655B30CA936AB19AAE84742267F25FDE76BDEE383760AB75E6865309C8779AD908DB975C4F0426140
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF3439C44FE1B66F88.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):73728
                            Entropy (8bit):0.135895696490115
                            Encrypted:false
                            SSDEEP:48:0T1GGOpCAdCCSoAdCCS5kY32TxT1GzdF:0JG3OXTxJG
                            MD5:BCC6E1CC2423C792A1E297105097E1AE
                            SHA1:F018729E351FB2E8D0A1F97BB5714AE644D22D43
                            SHA-256:47A3B1B1448718DB4F0CABA6DAF5CB66155B76D1618DC446EEC25866D639EDF1
                            SHA-512:E45C7800869A207F9932EE87CB265462B9094A4B091663563342BF75926263E1C99BE289FFFFAF876D2F0D9CE3D8A6A68CD8045963141DEFD24AB0E5DF1F64CA
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF60A12C85B645FA70.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):0.07064272341071551
                            Encrypted:false
                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOh8is8oWrdztiVky6l7:2F0i8n0itFzDHFOV5Wrhb7
                            MD5:11E76F55CECB20E5A5BCD83FC064137C
                            SHA1:B46650DC9531868F7D02B45E8000C8AFA87628EE
                            SHA-256:E4BC4D6EEA6E2EED5DC74EF2818AC5E43C9A7AD6F51CC5CC342AFF5E7E0056DF
                            SHA-512:774B247A88EA1DD1FB643B4EAF011E3FC0CB9FC74C28E198100F72B1BA0CAB49F03292DD90FE78A62DD1B6522C5C573796E0C655BEAB5F3DF89396DE1E7DABCA
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF65494D1E5502A4DC.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):1.2507267664898283
                            Encrypted:false
                            SSDEEP:48:l4Bu/rhLFXJdT5fCdBT1GETkfAdCCS5kY2AdCCSIOpnT1G:GBSFTwJGETl6UJG
                            MD5:B5E12DB90DD367C370BAF2243C2CD665
                            SHA1:D917C9A4029FA74AE816BD5F166F2B6739E6EFD1
                            SHA-256:7DA522CD112A3C807FE0DD2D90A7041B70CD21641B9E6C298F7290A02C58F901
                            SHA-512:3529E054E83740F6E7DF588F46E9D94F0D976E463C86E6D6B9237CC4C0E454F787D6ABF4554CA20CC6996C609FD4712076113567E91D8EB18D60D7200DB53C40
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF923598E328332295.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DFBBA76014774796AF.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DFCB7769857CB82622.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DFE011A7EECFC1D52C.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):1.2507267664898283
                            Encrypted:false
                            SSDEEP:48:l4Bu/rhLFXJdT5fCdBT1GETkfAdCCS5kY2AdCCSIOpnT1G:GBSFTwJGETl6UJG
                            MD5:B5E12DB90DD367C370BAF2243C2CD665
                            SHA1:D917C9A4029FA74AE816BD5F166F2B6739E6EFD1
                            SHA-256:7DA522CD112A3C807FE0DD2D90A7041B70CD21641B9E6C298F7290A02C58F901
                            SHA-512:3529E054E83740F6E7DF588F46E9D94F0D976E463C86E6D6B9237CC4C0E454F787D6ABF4554CA20CC6996C609FD4712076113567E91D8EB18D60D7200DB53C40
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):225280
                            Entropy (8bit):6.034450906226583
                            Encrypted:false
                            SSDEEP:3072:P5wveocziNzMLSMOYscmuW0AXLiLR4JpA86Goao1vJU87/amFYw8fF01OyAILH:hwyOMqcp3AXOLR4JpL6ft3/amiX2OyX
                            MD5:67BDB40FBE6CECC320507161B58D134A
                            SHA1:11EC8313BA20E96A0F776A018586CC127A451E16
                            SHA-256:A15EAABBE6C32FBA34C1CACD8C0F206C28A69A8B73E619C962D812AE7FA0F844
                            SHA-512:687289C5740E5316ABDAEC56BBB6C0A629FC1F374B865A61F71AE3561738B42D3C31987E53ED0DBAED0AEFD357824303B0DD7527BAA81FEE2434A4BCDEC6433D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L....LYJ...........!.....:..........Z........P....?x.........................0............@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):569664
                            Entropy (8bit):6.521726174641651
                            Encrypted:false
                            SSDEEP:12288:iZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8bw:iZSZ13iwJmgLq83Ooc8SHkC2efw
                            MD5:B2EEE3DEE31F50E082E9C720A6D7757D
                            SHA1:3322840FEF43C92FB55DC31E682D19970DAF159D
                            SHA-256:4608BEEDD8CF9C3FC5AB03716B4AB6F01C7B7D65A7C072AF04F514FFB0E02D01
                            SHA-512:8B1854E80045001E7AB3A978FB4AA1DE19A3C9FC206013D7BC43AEC919F45E46BB7555F667D9F7D7833AB8BAA55C9098AF8872006FF277FC364A5E6F99EE25D3
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<.......................@.......43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):653120
                            Entropy (8bit):6.883968356674239
                            Encrypted:false
                            SSDEEP:12288:shr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyvRt:cU9FNPPbxPP2OeL9Q2pUmRyyvRt
                            MD5:7538050656FE5D63CB4B80349DD1CFE3
                            SHA1:F825C40FEE87CC9952A61C8C34E9F6EEE8DA742D
                            SHA-256:E16BC9B66642151DE612EE045C2810CA6146975015BD9679A354567F56DA2099
                            SHA-512:843E22630254D222DFD12166C701F6CD1DCA4A8DC216C7A8C9C0AB1AFC90189CFA8B6499BBC46408008A1D985394EB8A660B1FA1991059A65C09E8D6481A3AF8
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................|..P...(.......................@........3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7473
                            Entropy (8bit):7.340614348720467
                            Encrypted:false
                            SSDEEP:192:kh0ifIJ2hEi1HnNpBjSebyaAqjkKiTbmr3TSc2Q:ky3eHNpBjTeajCynn
                            MD5:BDDF54672A53F5DEA80F8202CD39C481
                            SHA1:207C39103155AA3B6A7AF25B3E4A91AEB82898CB
                            SHA-256:2717A5A51CFA1F0371B9FBB344D79554B0EFA3A6FF94DA3DC6664F7AF13C5048
                            SHA-512:DD4A4F2FD470235602BA0645AAEFCB9664B41FFE228C654D94779164C095E828C69FCB74B0B70442C79DD2AAC6072FC295224DC8507EFAA37DF64EC5C5633BDD
                            Malicious:false
                            Preview:0..-..*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7......J...o8I......c..090712070759Z0...+.....7.....0...0....RD.8.B.A.8.1.E.D.6.5.8.6.8.2.5.8.3.5.B.7.6.E.9.D.5.6.6.0.7.7.4.6.6.E.E.4.1.A.8.5...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........e..X5.n.V`wFn...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.9.0...C.R.T...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........e..X5.n.V`wFn...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

                            C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
                            Category:dropped
                            Size (bytes):1860
                            Entropy (8bit):5.392371898016726
                            Encrypted:false
                            SSDEEP:48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
                            MD5:53213FC8C2CB0D6F77CA6CBD40FFF22C
                            SHA1:D8BA81ED6586825835B76E9D566077466EE41A85
                            SHA-256:03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
                            SHA-512:E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
                            Malicious:false
                            Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

                            C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.cat

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7522
                            Entropy (8bit):7.328101670485594
                            Encrypted:false
                            SSDEEP:192:iZ3fIJ2hEi1HnNpBjSebyaAqjkKiTbGpTcf:uQeHNpBjTeajC48
                            MD5:F4F36BE5F6F26473AE2916D3614E04D0
                            SHA1:CC81719FE7AC6BF72E2413206C6CAE4857CE4B9A
                            SHA-256:44D63039DADFDE315555A2E4773153AB795AB46F254F7A21A8B3B6A29F71EE20
                            SHA-512:27B5296422EC11639C8CF261C7B1057DB2FB5BB9E7771F4D3947D3742761C8634D1A7AC2DE2462A47CC4C4873422F406A046E4475A6A4DF97FA0FE270D95B0B2
                            Malicious:false
                            Preview:0..^..*.H.........O0..K...1.0...+......0.....+.....7......0..{0...+.....7.....t..n.. E........090712023807Z0...+.....7.....0..80....R5.E.3.9.1.7.8.6.7.3.0.5.F.D.B.F.0.7.D.9.3.0.1.B.D.4.6.3.2.F.8.6.2.E.2.6.8.0.7.2...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........^9..s.....0..c/..&.r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....Fp.o.l.i.c.y...9...0.0...M.i.c.r.o.s.o.f.t...V.C.9.0...C.R.T...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........^9..s.....0..c/..&.r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0..........a........"0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...081022223914Z..100122224914Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E

                            C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.policy

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):764
                            Entropy (8bit):5.318118661435931
                            Encrypted:false
                            SSDEEP:12:TMHdtXBFN8uN53SNbMHpaXOr6gVuNnOw53SNK+MHCgVuNnm/6hdSIXOV/FkxqOK3:2dtXD+uXiNbPXU6g4NnOIiNK+zg4NnoP
                            MD5:8D108E59FDDFA7E845AE8795296EA4FA
                            SHA1:5E3917867305FDBF07D9301BD4632F862E268072
                            SHA-256:7EA6ADD145DAF72CCBFD2140C32DA4718039B2B683CCB02B47C8DB142203E461
                            SHA-512:D93758E1BD6170D5B70653F3C369230F97203CB1E789E6318652EEA128F5B63FFF2FB9CF4D7B16B4938B7856A0A5DB6A365803BA84F32954524E0630E857EE74
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright (c) Microsoft Corporation. All rights reserved. -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">...<assemblyIdentity type="win32-policy" name="policy.9.0.Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>...<dependency>....<dependentAssembly>.....<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.....<bindingRedirect oldVersion="9.0.20718.0-9.0.21022.8" newVersion="9.0.30729.4148"/>.....<bindingRedirect oldVersion="9.0.30201.0-9.0.30729.4148" newVersion="9.0.30729.4148"/>....</dependentAssembly>...</dependency>..</assembly>..

                            C:\Windows\assembly\tmp\9Y4YXQIY\NGBHLPX0

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):908
                            Entropy (8bit):3.591501424910525
                            Encrypted:false
                            SSDEEP:24:QlLOpYplJrYlWBSKnjbc7ww9SWDdkR8Eob7wWqdWJP:yek1DH87ww9xdRBH0dm
                            MD5:8A9FDA784C76AEBFCC8266727C31A77D
                            SHA1:1E5C13D11DBB9252303BFAF3960A0FEC9C7EC238
                            SHA-256:7CBB6401A894AE9DCE3F1EE3D775D6766E4D12545F3397A171E82E24D5B58652
                            SHA-512:009FEFE18B87B589EE041A45EF3A7B3CB04ED1738CE7199CB76722A58F328A1D86A7006BF31505A64F9BE4DE2B0448F273A3CEE10DC40D0B0FEA1D1C6115A404
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.<.c.o.n.f.i.g.u.r.a.t.i.o.n.>.......<.r.u.n.t.i.m.e.>.........<.a.s.s.e.m.b.l.y.B.i.n.d.i.n.g. .x.m.l.n.s.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.a.s.m...v.1.".>...........<.d.e.p.e.n.d.e.n.t.A.s.s.e.m.b.l.y.>.............<.a.s.s.e.m.b.l.y.I.d.e.n.t.i.t.y. .p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".7.1.e.9.b.c.e.1.1.1.e.9.4.2.9.c.". .n.a.m.e.=.".M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...I.n.t.e.r.o.p...A.c.c.e.s.s...D.a.o.". .c.u.l.t.u.r.e.=.".n.e.u.t.r.a.l.".>.<./.a.s.s.e.m.b.l.y.I.d.e.n.t.i.t.y.>.............<.b.i.n.d.i.n.g.R.e.d.i.r.e.c.t. .o.l.d.V.e.r.s.i.o.n.=.".1.2...0...0...0.". .n.e.w.V.e.r.s.i.o.n.=.".1.4...0...0...0.".>.<./.b.i.n.d.i.n.g.R.e.d.i.r.e.c.t.>...........<./.d.e.p.e.n.d.e.n.t.A.s.s.e.m.b.l.y.>.........<./.a.s.s.e.m.b.l.y.B.i.n.d.i.n.g.>.......<./.r.u.n.t.i.m.e.>.....<./.c.o.n.f.i.g.u.r.a.t.i.o.n.>.

                            C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config (copy)

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):908
                            Entropy (8bit):3.591501424910525
                            Encrypted:false
                            SSDEEP:24:QlLOpYplJrYlWBSKnjbc7ww9SWDdkR8Eob7wWqdWJP:yek1DH87ww9xdRBH0dm
                            MD5:8A9FDA784C76AEBFCC8266727C31A77D
                            SHA1:1E5C13D11DBB9252303BFAF3960A0FEC9C7EC238
                            SHA-256:7CBB6401A894AE9DCE3F1EE3D775D6766E4D12545F3397A171E82E24D5B58652
                            SHA-512:009FEFE18B87B589EE041A45EF3A7B3CB04ED1738CE7199CB76722A58F328A1D86A7006BF31505A64F9BE4DE2B0448F273A3CEE10DC40D0B0FEA1D1C6115A404
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.<.c.o.n.f.i.g.u.r.a.t.i.o.n.>.......<.r.u.n.t.i.m.e.>.........<.a.s.s.e.m.b.l.y.B.i.n.d.i.n.g. .x.m.l.n.s.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.a.s.m...v.1.".>...........<.d.e.p.e.n.d.e.n.t.A.s.s.e.m.b.l.y.>.............<.a.s.s.e.m.b.l.y.I.d.e.n.t.i.t.y. .p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".7.1.e.9.b.c.e.1.1.1.e.9.4.2.9.c.". .n.a.m.e.=.".M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...I.n.t.e.r.o.p...A.c.c.e.s.s...D.a.o.". .c.u.l.t.u.r.e.=.".n.e.u.t.r.a.l.".>.<./.a.s.s.e.m.b.l.y.I.d.e.n.t.i.t.y.>.............<.b.i.n.d.i.n.g.R.e.d.i.r.e.c.t. .o.l.d.V.e.r.s.i.o.n.=.".1.2...0...0...0.". .n.e.w.V.e.r.s.i.o.n.=.".1.4...0...0...0.".>.<./.b.i.n.d.i.n.g.R.e.d.i.r.e.c.t.>...........<./.d.e.p.e.n.d.e.n.t.A.s.s.e.m.b.l.y.>.........<./.a.s.s.e.m.b.l.y.B.i.n.d.i.n.g.>.......<./.r.u.n.t.i.m.e.>.....<./.c.o.n.f.i.g.u.r.a.t.i.o.n.>.

                            C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):11664
                            Entropy (8bit):6.086951835291407
                            Encrypted:false
                            SSDEEP:192:nT3qUGB8tXgWYbZ0czWXlQKPnEtObMacxc8hjXHUz1TrWmWA51c5kU:LjOWYbZ0czWXlLXci2jXHUDjg5x
                            MD5:1AD4166C04970B0F4C69A3E7DDC3CC2D
                            SHA1:E7F541D949BED2038B4DC8BF750D88296146471F
                            SHA-256:31D7176CDF110C15A9001FBA733235FFFD8F3E62823E9C23B68F642C3C2AF53A
                            SHA-512:A93729713E570F49151B4A70226A811FB7A64FA551BB320B8B7CBCEABA8534FA2F809E1300A665D36DBEDA83D8D84D51315810D4146C13AF4C7ED00A0D520C2B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.K...........!................~(... ...@....@.. ....................................@.................................((..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`(......H........ ..X...................P ........................................./...-W.0..........P.MG...E.!J.I..!...h6y.A=..!.%)m.'.. ...K...*........]...u..L..QT..EAG....i.bi.t9v..p..q......`U+.&BSJB............v2.0.50727......l.......#~......|...#Strings............#US.........#GUID...........#Blob...............I......3....................................................Y.G...z.G.....G.....G.....G.....G.....G.....G...1.G...J.G...c.G.....G.....G.........................

                            C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):79744
                            Entropy (8bit):5.749473118886424
                            Encrypted:false
                            SSDEEP:1536:VHjzVGyTrbq6VwaueouprFx/Eq8wHgW593vdn9rHU:VHjzYyTrOkwa1nprQq8SRln9o
                            MD5:BB39161455A053800391C52840FC010A
                            SHA1:A1E13CA23113E0FA31FD32D86308F46C781BD17B
                            SHA-256:600D17C72C34E4EAC2F3B43B2E201409C0A3630906B47047A46103BF01B04466
                            SHA-512:9FE0F50B4F27FD5A0C2E3470C2030B2FEE6D59FBB6CA8CA5AD9F117F2353943C874993D71E843777BD0F61A5E0C3DB71C54A4BD9AD2F84C99B306F6D98D013EA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.K...........!......... ........... ... ....@.. .......................`............@.................................t...W.... ..p............ .......@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.998929423643008
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:AccessDatabaseuser.exe
                            File size:26'557'232 bytes
                            MD5:46b666e01d7ea03bc65ec5e1249f7d4b
                            SHA1:0aa027c5d00ca67dd85eafeeb7ab245226331823
                            SHA256:86fecfce83469b3f40ee93e0b54f433209c2bf5626d7f475761024e3f2d4a324
                            SHA512:e4a9511a6f9cfeaa250493e9e3e82e4ec49f57d8c99fe84a1c555437b1d7e77e54097516f3e0eee504cbee89697b999a37cec67eb083b6ace539e12b1356e45a
                            SSDEEP:393216:0jMie1Z3vW5sCM974cstQ6SPD/ExTMUQ6azGdUWhtYBqSEzU/3JHeO8EtbN0IknS:0jSS7cgQ6Sr/E16dWvI6egy0tTFBkKcr
                            TLSH:9B4733236BDC1131D59BB3F5082AABD046B595701930C72AF35AC8BCAF392917879B87
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................0.......&.Y.....!......f..........).....1.......!.......4.....Rich............PE..L....!`O.................l.

                            File Icon

                            Icon Hash:674e4f45a7297639

                            Static PE Info

                            General

                            Entrypoint:0x2e02eddc
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x2e000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x4F602197 [Wed Mar 14 04:41:59 2012 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:0
                            File Version Major:5
                            File Version Minor:0
                            Subsystem Version Major:5
                            Subsystem Version Minor:0
                            Import Hash:97ad647a7b555e8379d6b7032a4c3349

                            Authenticode Signature

                            Signature Valid:true
                            Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                            Signature Validation Error:The operation completed successfully
                            Error Number:0
                            Not Before, Not After
                            • 02/05/2019 23:37:46 02/05/2020 23:37:46
                            Subject Chain
                            • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                            Version:3
                            Thumbprint MD5:6F00C8E4B0871786C50F94F4FDB5B1CE
                            Thumbprint SHA-1:62009AAABDAE749FD47D19150958329BF6FF4B34
                            Thumbprint SHA-256:B5DC4E58C8AFB9688734F6C5CF3ED0D4D89BF8366ACE982CC6B6854C480FC82E
                            Serial:33000001519E8D8F4071A30E41000000000151

                            Entrypoint Preview

                            Instruction
                            call 00007FD974CE5473h
                            jmp 00007FD974CE176Dh
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            pop ebp
                            jmp 00007FD974CE1C1Bh
                            mov edi, edi
                            push ecx
                            mov dword ptr [ecx], 2E009AF4h
                            call 00007FD974CE54EBh
                            pop ecx
                            ret
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            push esi
                            mov esi, ecx
                            call 00007FD974CE18D8h
                            test byte ptr [ebp+08h], 00000001h
                            je 00007FD974CE18F9h
                            push esi
                            call 00007FD974CE18C1h
                            pop ecx
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            add ecx, 09h
                            push ecx
                            add eax, 09h
                            push eax
                            call 00007FD974CE5523h
                            neg eax
                            pop ecx
                            sbb eax, eax
                            pop ecx
                            inc eax
                            pop ebp
                            retn 0004h
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            sub esp, 20h
                            mov eax, dword ptr [ebp+08h]
                            push esi
                            push edi
                            push 00000008h
                            pop ecx
                            mov esi, 2E009AF8h
                            lea edi, dword ptr [ebp-20h]
                            rep movsd
                            mov dword ptr [ebp-08h], eax
                            mov eax, dword ptr [ebp+0Ch]
                            pop edi
                            mov dword ptr [ebp-04h], eax
                            pop esi
                            test eax, eax
                            je 00007FD974CE18FEh
                            test byte ptr [eax], 00000008h
                            je 00007FD974CE18F9h
                            mov dword ptr [ebp-0Ch], 01994000h
                            lea eax, dword ptr [ebp-0Ch]
                            push eax
                            push dword ptr [ebp-10h]
                            push dword ptr [ebp-1Ch]
                            push dword ptr [ebp-20h]
                            call dword ptr [2E001120h]
                            leave
                            retn 0008h
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            push esi
                            mov esi, dword ptr [ebp+14h]
                            push edi
                            xor edi, edi
                            cmp esi, edi
                            jne 00007FD974CE18F6h
                            xor eax, eax
                            jmp 00007FD974CE1957h
                            cmp dword ptr [ebp+00h], edi

                            Rich Headers

                            Programming Language:
                            • [ASM] VS2008 SP1 build 30729
                            • [ C ] VS2008 SP1 build 30729
                            • [C++] VS2008 build 21022
                            • [IMP] VS2005 build 50727
                            • [C++] VS2008 SP1 build 30729
                            • [LNK] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x46e4c0x78.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x5348.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x19516e80x2448
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x530000x3bd4.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x47a900x38.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xacf00x40.text
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x230.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x467140x100.text
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x46b310x46c00ac9c5d316ee52cd77017cebe8d38a901False0.4681150618374558data6.501753553713817IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x480000x46380x2c00d74af3aa9602c3f5a123d11a40ef99deFalse0.2654474431818182data4.503636224887963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x4d0000x53480x5400ddd229dd5a124c043fa372a9b11790b3False0.1900576636904762data3.971649855924063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x530000x3bd40x3c001b85081af4620f34a65bc9c3657048e8False0.7677734375data6.678533556810769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x4d2f40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.41397849462365593
                            RT_ICON0x4d5dc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5641891891891891
                            RT_DIALOG0x4d7040xe4dataEnglishUnited States0.6491228070175439
                            RT_DIALOG0x4d7e80xe4dataEnglishUnited States0.6535087719298246
                            RT_DIALOG0x4d8cc0xfedataEnglishUnited States0.6062992125984252
                            RT_DIALOG0x4d9cc0xfedataEnglishUnited States0.6141732283464567
                            RT_DIALOG0x4dacc0x158dataEnglishUnited States0.5261627906976745
                            RT_DIALOG0x4dc240x158dataEnglishUnited States0.5261627906976745
                            RT_RCDATA0x4dd7c0x3e5edata0.13666541400476012
                            RT_GROUP_ICON0x51bdc0x22dataEnglishUnited States1.0
                            RT_VERSION0x51c000x414dataEnglishUnited States0.3879310344827586
                            RT_MANIFEST0x520140x331XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5250917992656059

                            Imports

                            DLLImport
                            KERNEL32.dlllstrlenW, FreeLibrary, GetProcAddress, LoadLibraryA, CloseHandle, GetExitCodeProcess, WaitForSingleObject, MultiByteToWideChar, lstrlenA, GetFileSize, CreateFileA, CreateDirectoryA, DeleteFileA, GetTempFileNameA, GetTempPathA, GetFullPathNameA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, CopyFileA, MoveFileA, Sleep, Process32Next, Process32First, CreateToolhelp32Snapshot, CreateThread, ReadFile, ExpandEnvironmentStringsA, SetEvent, CreateEventA, SetFilePointer, WriteFile, CreateFileW, GetTempFileNameW, GetTempPathW, DeleteFileW, CreateProcessW, WideCharToMultiByte, LoadResource, FindResourceA, GetSystemDirectoryA, GetUserDefaultLangID, GetSystemDefaultLangID, GetVersionExA, GlobalFree, GlobalAlloc, CompareStringA, GetCurrentProcess, WritePrivateProfileStringA, GetWindowsDirectoryA, SetCurrentDirectoryA, CreateProcessA, GetDiskFreeSpaceExA, GetModuleFileNameA, SetLastError, GetCurrentDirectoryA, SetFileTime, DosDateTimeToFileTime, LocalAlloc, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetStringTypeW, LockResource, GetLastError, GetFileAttributesW, HeapFree, GetProcessHeap, GetCommandLineA, GetStartupInfoA, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, GetFileAttributesA, ExitThread, GetCurrentThreadId, GetModuleHandleW, ExitProcess, HeapAlloc, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, GetModuleHandleA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InterlockedExchange, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA
                            OLEAUT32.dllVariantClear, VariantChangeType, SysAllocString, SysFreeString, VariantInit
                            VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
                            ole32.dllCoCreateInstance, CLSIDFromProgID, CoInitialize, CoTaskMemFree
                            GDI32.dllCreateFontIndirectA

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 15, 2025 16:21:25.075073957 CET5710153192.168.2.61.1.1.1
                            Jan 15, 2025 16:21:25.079981089 CET53571011.1.1.1192.168.2.6
                            Jan 15, 2025 16:21:25.080385923 CET5710153192.168.2.61.1.1.1
                            Jan 15, 2025 16:21:25.085268974 CET53571011.1.1.1192.168.2.6
                            Jan 15, 2025 16:21:25.533427000 CET5710153192.168.2.61.1.1.1
                            Jan 15, 2025 16:21:25.538458109 CET53571011.1.1.1192.168.2.6
                            Jan 15, 2025 16:21:25.538522959 CET5710153192.168.2.61.1.1.1

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 15, 2025 16:21:25.074510098 CET53612821.1.1.1192.168.2.6

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:21:06
                            Start date:15/01/2025
                            Path:C:\Users\user\Desktop\AccessDatabaseuser.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\AccessDatabaseuser.exe"
                            Imagebase:0x2d360000
                            File size:26'557'232 bytes
                            MD5 hash:46B666E01D7EA03BC65EC5E1249F7D4B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:2
                            Start time:10:21:08
                            Start date:15/01/2025
                            Path:C:\Windows\System32\msiexec.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\msiexec.exe /V
                            Imagebase:0x7ff7851b0000
                            File size:69'632 bytes
                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:3
                            Start time:10:21:08
                            Start date:15/01/2025
                            Path:C:\Windows\SysWOW64\msiexec.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 C
                            Imagebase:0x880000
                            File size:59'904 bytes
                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:10:21:24
                            Start date:15/01/2025
                            Path:C:\Windows\SysWOW64\msiexec.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CD
                            Imagebase:0x880000
                            File size:59'904 bytes
                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:10:21:32
                            Start date:15/01/2025
                            Path:C:\Windows\SysWOW64\msiexec.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000
                            Imagebase:0x880000
                            File size:59'904 bytes
                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:9.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:2.5%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:78
                              execution_graph 15147 2d37ec30 FindResourceA 15148 2d37ec6b LoadResource 15147->15148 15149 2d37ec49 GetLastError 15147->15149 15148->15149 15151 2d37ec78 LockResource SysAllocString 15148->15151 15156 2d36e813 15149->15156 15152 2d37eca1 15151->15152 15153 2d37ec58 15151->15153 15155 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15153->15155 15169 2d36e7d1 15153->15169 15155->15148 15157 2d385e3a Mailbox WriteFile 15156->15157 15158 2d36e83d 15157->15158 15174 2d36e7f7 15158->15174 15161 2d385e3a Mailbox WriteFile 15162 2d36e85d 15161->15162 15163 2d385e3a Mailbox WriteFile 15162->15163 15164 2d36e869 15163->15164 15165 2d385e3a Mailbox WriteFile 15164->15165 15166 2d36e875 15165->15166 15177 2d38f7a3 15166->15177 15168 2d36e883 15168->15153 15170 2d385e3a Mailbox WriteFile 15169->15170 15171 2d36e7e6 15170->15171 15172 2d385e3a Mailbox WriteFile 15171->15172 15173 2d36e7f2 15172->15173 15173->15153 15184 2d38fe19 15174->15184 15178 2d38f7af 15177->15178 15179 2d395136 IsDebuggerPresent 15177->15179 15178->15168 15557 2d394391 15179->15557 15181 2d3951fd SetUnhandledExceptionFilter UnhandledExceptionFilter 15182 2d395222 GetCurrentProcess TerminateProcess 15181->15182 15183 2d39521a __invoke_watson 15181->15183 15182->15168 15183->15182 15187 2d38fd12 15184->15187 15188 2d38fd40 15187->15188 15189 2d38fd20 15187->15189 15192 2d38fd4e 15188->15192 15194 2d38fd75 15188->15194 15190 2d392e82 __locking 67 API calls 15189->15190 15191 2d38fd25 15190->15191 15193 2d38f391 __locking 6 API calls 15191->15193 15195 2d392e82 __locking 67 API calls 15192->15195 15198 2d36e80e 15192->15198 15193->15198 15197 2d392e82 __locking 67 API calls 15194->15197 15196 2d38fd6a 15195->15196 15202 2d38f391 __locking 6 API calls 15196->15202 15199 2d38fd7a 15197->15199 15198->15161 15200 2d38fd88 15199->15200 15201 2d38fdb5 15199->15201 15217 2d38fc46 15200->15217 15204 2d38fc46 __vsnprintf_helper 101 API calls 15201->15204 15202->15198 15206 2d38fdc6 15204->15206 15207 2d38fdee 15206->15207 15209 2d38fdd8 15206->15209 15207->15198 15214 2d392e82 __locking 67 API calls 15207->15214 15208 2d38fda2 15210 2d392e82 __locking 67 API calls 15208->15210 15211 2d392e82 __locking 67 API calls 15209->15211 15212 2d38fda7 15210->15212 15213 2d38fddd 15211->15213 15212->15198 15215 2d392e82 __locking 67 API calls 15212->15215 15213->15198 15216 2d392e82 __locking 67 API calls 15213->15216 15214->15196 15215->15198 15216->15198 15218 2d38fc76 15217->15218 15219 2d38fc56 15217->15219 15221 2d38fca3 15218->15221 15223 2d38fc86 15218->15223 15220 2d392e82 __locking 67 API calls 15219->15220 15222 2d38fc5b 15220->15222 15226 2d38fc6b 15221->15226 15230 2d395315 15221->15230 15224 2d38f391 __locking 6 API calls 15222->15224 15225 2d392e82 __locking 67 API calls 15223->15225 15224->15226 15227 2d38fc8b 15225->15227 15226->15207 15226->15208 15228 2d38f391 __locking 6 API calls 15227->15228 15228->15226 15251 2d39a329 15230->15251 15233 2d395330 15235 2d392e82 __locking 67 API calls 15233->15235 15234 2d395347 15236 2d39534b 15234->15236 15244 2d395358 __flswbuf 15234->15244 15246 2d395335 15235->15246 15237 2d392e82 __locking 67 API calls 15236->15237 15237->15246 15238 2d3953b9 15239 2d395448 15238->15239 15240 2d3953c8 15238->15240 15241 2d399feb __locking 101 API calls 15239->15241 15242 2d3953df 15240->15242 15247 2d3953fc 15240->15247 15241->15246 15269 2d399feb 15242->15269 15244->15238 15244->15246 15248 2d3953ae 15244->15248 15257 2d39a110 15244->15257 15246->15226 15247->15246 15294 2d39979f 15247->15294 15248->15238 15266 2d39a0c7 15248->15266 15252 2d39a338 15251->15252 15253 2d395325 15251->15253 15254 2d392e82 __locking 67 API calls 15252->15254 15253->15233 15253->15234 15255 2d39a33d 15254->15255 15256 2d38f391 __locking 6 API calls 15255->15256 15256->15253 15258 2d39a11d 15257->15258 15259 2d39a12c 15257->15259 15260 2d392e82 __locking 67 API calls 15258->15260 15262 2d39a150 15259->15262 15263 2d392e82 __locking 67 API calls 15259->15263 15261 2d39a122 15260->15261 15261->15248 15262->15248 15264 2d39a140 15263->15264 15265 2d38f391 __locking 6 API calls 15264->15265 15265->15262 15326 2d395236 15266->15326 15270 2d399ff7 __locking 15269->15270 15271 2d39a01a 15270->15271 15272 2d399fff 15270->15272 15273 2d39a028 15271->15273 15278 2d39a069 15271->15278 15331 2d392e95 15272->15331 15275 2d392e95 __locking 67 API calls 15273->15275 15277 2d39a02d 15275->15277 15280 2d392e82 __locking 67 API calls 15277->15280 15334 2d39b8f3 15278->15334 15279 2d392e82 __locking 67 API calls 15282 2d39a00c __locking 15279->15282 15283 2d39a034 15280->15283 15282->15246 15285 2d38f391 __locking 6 API calls 15283->15285 15284 2d39a06f 15286 2d39a07c 15284->15286 15287 2d39a092 15284->15287 15285->15282 15344 2d3998b8 15286->15344 15288 2d392e82 __locking 67 API calls 15287->15288 15290 2d39a097 15288->15290 15292 2d392e95 __locking 67 API calls 15290->15292 15291 2d39a08a 15403 2d39a0bd 15291->15403 15292->15291 15295 2d3997ab __locking 15294->15295 15296 2d3997d8 15295->15296 15297 2d3997bc 15295->15297 15298 2d3997e6 15296->15298 15300 2d399807 15296->15300 15299 2d392e95 __locking 67 API calls 15297->15299 15301 2d392e95 __locking 67 API calls 15298->15301 15302 2d3997c1 15299->15302 15305 2d39984d 15300->15305 15306 2d399827 15300->15306 15304 2d3997eb 15301->15304 15303 2d392e82 __locking 67 API calls 15302->15303 15307 2d3997c9 __locking 15303->15307 15309 2d392e82 __locking 67 API calls 15304->15309 15308 2d39b8f3 ___lock_fhandle 68 API calls 15305->15308 15310 2d392e95 __locking 67 API calls 15306->15310 15307->15246 15311 2d399853 15308->15311 15312 2d3997f2 15309->15312 15313 2d39982c 15310->15313 15315 2d39987c 15311->15315 15316 2d399860 15311->15316 15317 2d38f391 __locking 6 API calls 15312->15317 15314 2d392e82 __locking 67 API calls 15313->15314 15318 2d399833 15314->15318 15320 2d392e82 __locking 67 API calls 15315->15320 15319 2d39971a __lseeki64_nolock 69 API calls 15316->15319 15317->15307 15321 2d38f391 __locking 6 API calls 15318->15321 15322 2d399871 15319->15322 15323 2d399881 15320->15323 15321->15307 15553 2d3998ae 15322->15553 15324 2d392e95 __locking 67 API calls 15323->15324 15324->15322 15330 2d39523f 15326->15330 15327 2d3910ae _realloc 66 API calls 15327->15330 15328 2d395275 15328->15238 15329 2d395256 Sleep 15329->15330 15330->15327 15330->15328 15330->15329 15406 2d392519 GetLastError 15331->15406 15333 2d392e9a 15333->15279 15335 2d39b8ff __locking 15334->15335 15336 2d39b95a 15335->15336 15464 2d3934be 15335->15464 15338 2d39b97c __locking 15336->15338 15339 2d39b95f EnterCriticalSection 15336->15339 15338->15284 15339->15338 15340 2d39b92b 15341 2d39b942 15340->15341 15471 2d399091 15340->15471 15475 2d39b98a 15341->15475 15345 2d3998c7 __write_nolock 15344->15345 15346 2d3998f9 15345->15346 15347 2d399920 15345->15347 15377 2d3998ee 15345->15377 15349 2d392e95 __locking 67 API calls 15346->15349 15350 2d399988 15347->15350 15351 2d399962 15347->15351 15348 2d38f7a3 ___convertcp 5 API calls 15352 2d399fe9 15348->15352 15353 2d3998fe 15349->15353 15355 2d39999c 15350->15355 15513 2d39971a 15350->15513 15354 2d392e95 __locking 67 API calls 15351->15354 15352->15291 15356 2d392e82 __locking 67 API calls 15353->15356 15358 2d399967 15354->15358 15357 2d39a110 __write_nolock 67 API calls 15355->15357 15360 2d399905 15356->15360 15361 2d3999a7 15357->15361 15362 2d392e82 __locking 67 API calls 15358->15362 15363 2d38f391 __locking 6 API calls 15360->15363 15364 2d399c4d 15361->15364 15523 2d392592 15361->15523 15365 2d399970 15362->15365 15363->15377 15367 2d399c5d 15364->15367 15368 2d399f1c WriteFile 15364->15368 15366 2d38f391 __locking 6 API calls 15365->15366 15366->15377 15370 2d399d3b 15367->15370 15393 2d399c71 15367->15393 15372 2d399c2f 15368->15372 15373 2d399f4f GetLastError 15368->15373 15392 2d399e1b 15370->15392 15395 2d399d4a 15370->15395 15374 2d399f9a 15372->15374 15372->15377 15379 2d399f6d 15372->15379 15373->15372 15374->15377 15378 2d392e82 __locking 67 API calls 15374->15378 15375 2d3999ed 15375->15364 15376 2d3999ff GetConsoleCP 15375->15376 15376->15372 15401 2d399a22 15376->15401 15377->15348 15383 2d399fbd 15378->15383 15380 2d399f78 15379->15380 15381 2d399f8c 15379->15381 15385 2d392e82 __locking 67 API calls 15380->15385 15531 2d392ea8 15381->15531 15382 2d399cdf WriteFile 15382->15373 15382->15393 15389 2d392e95 __locking 67 API calls 15383->15389 15384 2d399e81 WideCharToMultiByte 15384->15373 15386 2d399eb8 WriteFile 15384->15386 15390 2d399f7d 15385->15390 15391 2d399eef GetLastError 15386->15391 15386->15392 15387 2d399dbf WriteFile 15387->15373 15387->15395 15389->15377 15394 2d392e95 __locking 67 API calls 15390->15394 15391->15392 15392->15372 15392->15374 15392->15384 15392->15386 15393->15372 15393->15374 15393->15382 15394->15377 15395->15372 15395->15374 15395->15387 15397 2d39b9ba 11 API calls __putwch_nolock 15397->15401 15398 2d399ace WideCharToMultiByte 15398->15372 15400 2d399aff WriteFile 15398->15400 15399 2d39a60f 79 API calls __fassign 15399->15401 15400->15373 15400->15401 15401->15372 15401->15373 15401->15397 15401->15398 15401->15399 15402 2d399b53 WriteFile 15401->15402 15528 2d39a661 15401->15528 15402->15373 15402->15401 15552 2d39b993 LeaveCriticalSection 15403->15552 15405 2d39a0c5 15405->15282 15421 2d3923a0 TlsGetValue 15406->15421 15409 2d392586 SetLastError 15409->15333 15412 2d39254c 15413 2d392305 __decode_pointer 6 API calls 15412->15413 15414 2d39255e 15413->15414 15415 2d39257d 15414->15415 15416 2d392565 15414->15416 15451 2d38f117 15415->15451 15432 2d392432 15416->15432 15419 2d39256d GetCurrentThreadId 15419->15409 15420 2d392583 15420->15409 15422 2d3923d0 15421->15422 15423 2d3923b5 15421->15423 15422->15409 15426 2d39527b 15422->15426 15424 2d392305 __decode_pointer 6 API calls 15423->15424 15425 2d3923c0 TlsSetValue 15424->15425 15425->15422 15428 2d395284 15426->15428 15427 2d393fb5 __calloc_impl 66 API calls 15427->15428 15428->15427 15429 2d392544 15428->15429 15430 2d3952a2 Sleep 15428->15430 15429->15409 15429->15412 15431 2d3952b7 15430->15431 15431->15428 15431->15429 15433 2d392906 __locking 15432->15433 15434 2d39243e GetModuleHandleW 15433->15434 15435 2d39244e 15434->15435 15436 2d392455 15434->15436 15437 2d390d27 __crt_waiting_on_module_handle Sleep GetModuleHandleW 15435->15437 15438 2d39246c GetProcAddress GetProcAddress 15436->15438 15439 2d392490 15436->15439 15440 2d392454 15437->15440 15438->15439 15441 2d3934be __lock 63 API calls 15439->15441 15440->15436 15442 2d3924af InterlockedIncrement 15441->15442 15443 2d392507 __mtinit LeaveCriticalSection 15442->15443 15444 2d3924c9 15443->15444 15445 2d3934be __lock 63 API calls 15444->15445 15446 2d3924d0 15445->15446 15447 2d3985e7 ___addlocaleref 8 API calls 15446->15447 15448 2d3924ee 15447->15448 15449 2d392510 __mtinit LeaveCriticalSection 15448->15449 15450 2d3924fb __locking 15449->15450 15450->15419 15452 2d38f123 __locking 15451->15452 15453 2d38f162 15452->15453 15454 2d38f19c __locking _realloc 15452->15454 15455 2d3934be __lock 65 API calls 15452->15455 15453->15454 15456 2d38f177 RtlFreeHeap 15453->15456 15454->15420 15460 2d38f13a ___sbh_find_block 15455->15460 15456->15454 15457 2d38f189 15456->15457 15458 2d392e82 __locking 65 API calls 15457->15458 15459 2d38f18e GetLastError 15458->15459 15459->15454 15461 2d38f154 15460->15461 15462 2d393521 ___sbh_free_block __VEC_memcpy VirtualFree VirtualFree HeapFree 15460->15462 15463 2d38f16d __fclose_nolock LeaveCriticalSection 15461->15463 15462->15461 15463->15453 15465 2d3934d3 15464->15465 15466 2d3934e6 EnterCriticalSection 15464->15466 15478 2d3933f9 15465->15478 15466->15340 15468 2d3934d9 15468->15466 15504 2d390d57 15468->15504 15511 2d392906 15471->15511 15473 2d39909d InitializeCriticalSectionAndSpinCount 15474 2d3990e1 __locking 15473->15474 15474->15341 15512 2d3933e2 LeaveCriticalSection 15475->15512 15477 2d39b991 15477->15336 15479 2d393405 __locking 15478->15479 15480 2d39342b 15479->15480 15481 2d391985 __FF_MSGBANNER 67 API calls 15479->15481 15482 2d395236 __malloc_crt 67 API calls 15480->15482 15488 2d39343d __locking 15480->15488 15483 2d39341a 15481->15483 15484 2d393448 15482->15484 15485 2d3917da __NMSG_WRITE 67 API calls 15483->15485 15486 2d39344f 15484->15486 15487 2d39345e 15484->15487 15489 2d393421 15485->15489 15490 2d392e82 __locking 67 API calls 15486->15490 15491 2d3934be __lock 67 API calls 15487->15491 15488->15468 15492 2d390dab _doexit GetModuleHandleW GetProcAddress ExitProcess 15489->15492 15490->15488 15493 2d393465 15491->15493 15492->15480 15494 2d393499 15493->15494 15495 2d39346d 15493->15495 15496 2d38f117 __fclose_nolock 67 API calls 15494->15496 15497 2d399091 ___lock_fhandle InitializeCriticalSectionAndSpinCount 15495->15497 15498 2d39348a 15496->15498 15499 2d393478 15497->15499 15501 2d3934b5 __lock LeaveCriticalSection 15498->15501 15499->15498 15500 2d38f117 __fclose_nolock 67 API calls 15499->15500 15502 2d393484 15500->15502 15501->15488 15503 2d392e82 __locking 67 API calls 15502->15503 15503->15498 15505 2d391985 __FF_MSGBANNER 67 API calls 15504->15505 15506 2d390d61 15505->15506 15507 2d3917da __NMSG_WRITE 67 API calls 15506->15507 15508 2d390d69 15507->15508 15509 2d392305 __decode_pointer 6 API calls 15508->15509 15510 2d390d74 15509->15510 15510->15466 15511->15473 15512->15477 15536 2d39b87c 15513->15536 15515 2d399738 15516 2d399751 SetFilePointer 15515->15516 15517 2d399740 15515->15517 15518 2d399769 GetLastError 15516->15518 15521 2d399745 15516->15521 15519 2d392e82 __locking 67 API calls 15517->15519 15520 2d399773 15518->15520 15518->15521 15519->15521 15522 2d392ea8 __dosmaperr 67 API calls 15520->15522 15521->15355 15522->15521 15524 2d392519 __getptd_noexit 67 API calls 15523->15524 15525 2d39259a 15524->15525 15526 2d3925a7 GetConsoleMode 15525->15526 15527 2d390d57 __amsg_exit 67 API calls 15525->15527 15526->15364 15526->15375 15527->15526 15549 2d39a629 15528->15549 15532 2d392e95 __locking 67 API calls 15531->15532 15533 2d392eb3 _realloc 15532->15533 15534 2d392e82 __locking 67 API calls 15533->15534 15535 2d392ec6 15534->15535 15535->15377 15537 2d39b889 15536->15537 15538 2d39b8a1 15536->15538 15539 2d392e95 __locking 67 API calls 15537->15539 15541 2d392e95 __locking 67 API calls 15538->15541 15546 2d39b8e6 15538->15546 15540 2d39b88e 15539->15540 15542 2d392e82 __locking 67 API calls 15540->15542 15543 2d39b8cf 15541->15543 15544 2d39b896 15542->15544 15545 2d392e82 __locking 67 API calls 15543->15545 15544->15515 15547 2d39b8d6 15545->15547 15546->15515 15548 2d38f391 __locking 6 API calls 15547->15548 15548->15546 15550 2d390248 _LocaleUpdate::_LocaleUpdate 77 API calls 15549->15550 15551 2d39a63c 15550->15551 15551->15401 15552->15405 15556 2d39b993 LeaveCriticalSection 15553->15556 15555 2d3998b6 15555->15307 15556->15555 15557->15181 15709 2d38e033 15711 2d38e047 15709->15711 15710 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15710->15711 15711->15710 15713 2d38e13d 15711->15713 15715 2d38e310 15711->15715 15719 2d38de59 15711->15719 15717 2d38e329 15715->15717 15716 2d38e349 15716->15711 15717->15716 15718 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15717->15718 15718->15716 15720 2d38de65 __EH_prolog3 15719->15720 15725 2d36e012 15720->15725 15723 2d36e012 95 API calls 15724 2d38de9f std::runtime_error::runtime_error 15723->15724 15724->15711 15726 2d36e01c 15725->15726 15726->15726 15729 2d36dcb3 15726->15729 15728 2d36e033 15728->15723 15730 2d36dcc3 15729->15730 15731 2d36dce7 15730->15731 15733 2d36dcc7 15730->15733 15738 2d36d94a 15731->15738 15747 2d36db12 15733->15747 15735 2d36dce5 Mailbox 15735->15728 15736 2d36dcf3 15736->15735 15760 2d36d351 15736->15760 15739 2d36d961 15738->15739 15740 2d36d95c 15738->15740 15742 2d36d966 15739->15742 15745 2d36d973 15739->15745 15741 2d39e53a std::_String_base::_Xlen 95 API calls 15740->15741 15741->15739 15763 2d36d65e 15742->15763 15743 2d36d971 Mailbox 15743->15736 15745->15743 15746 2d36d44f Mailbox 67 API calls 15745->15746 15746->15743 15748 2d36db25 15747->15748 15749 2d36db2a 15747->15749 15750 2d39e572 std::runtime_error::runtime_error 95 API calls 15748->15750 15751 2d36db40 15749->15751 15752 2d36db58 15749->15752 15750->15749 15781 2d36d5e1 15751->15781 15753 2d36d94a 95 API calls 15752->15753 15758 2d36db60 15753->15758 15755 2d36db4a 15757 2d36d5e1 95 API calls 15755->15757 15756 2d36db56 Mailbox 15756->15735 15757->15756 15758->15756 15759 2d36d351 67 API calls 15758->15759 15759->15756 15811 2d36d0a2 15760->15811 15764 2d36d66a __EH_prolog3_catch 15763->15764 15771 2d36d02a 15764->15771 15766 2d36d706 15768 2d36d44f Mailbox 67 API calls 15766->15768 15770 2d36d711 Mailbox std::runtime_error::runtime_error 15768->15770 15769 2d36d351 67 API calls 15769->15766 15770->15743 15772 2d36d047 15771->15772 15773 2d36d037 15771->15773 15772->15773 15774 2d36d053 15772->15774 15775 2d38ef83 std::runtime_error::runtime_error 75 API calls 15773->15775 15776 2d36ce45 std::bad_exception::bad_exception 67 API calls 15774->15776 15777 2d36d042 15775->15777 15778 2d36d05d 15776->15778 15777->15766 15777->15769 15779 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15778->15779 15780 2d36d06b 15779->15780 15782 2d36d5f1 15781->15782 15784 2d36d5f6 15781->15784 15783 2d39e572 std::runtime_error::runtime_error 95 API calls 15782->15783 15783->15784 15786 2d36d648 Mailbox 15784->15786 15787 2d36d387 15784->15787 15786->15755 15790 2d36d0d8 15787->15790 15793 2d36cead 15790->15793 15796 2d36cdd0 15793->15796 15799 2d38ef0b 15796->15799 15800 2d38ef1b 15799->15800 15801 2d36cdea 15799->15801 15802 2d38ef20 15800->15802 15804 2d38ef40 15800->15804 15801->15786 15803 2d392e82 __locking 67 API calls 15802->15803 15805 2d38ef25 15803->15805 15806 2d38ef53 15804->15806 15807 2d38ef45 15804->15807 15810 2d38f391 __locking 6 API calls 15805->15810 15809 2d392ecb _memmove_s __VEC_memcpy 15806->15809 15808 2d392e82 __locking 67 API calls 15807->15808 15808->15805 15809->15801 15810->15801 15812 2d36ce91 char_traits 67 API calls 15811->15812 15813 2d36d0b6 15812->15813 15813->15735 17722 2d370427 17723 2d36f91b Mailbox 6 API calls 17722->17723 17727 2d370443 17723->17727 17724 2d36f91b Mailbox 6 API calls 17724->17727 17725 2d37ea61 Mailbox 6 API calls 17725->17727 17726 2d370494 17727->17724 17727->17725 17727->17726 17731 2d371b2d 17727->17731 17737 2d36f6af 17727->17737 17746 2d371b78 17727->17746 17732 2d371b36 17731->17732 17733 2d371b3b 17731->17733 17734 2d38f3b7 Mailbox 6 API calls 17732->17734 17735 2d371b54 17733->17735 17736 2d38f3b7 Mailbox 6 API calls 17733->17736 17734->17733 17735->17727 17736->17735 17738 2d38ffb2 __NMSG_WRITE 67 API calls 17737->17738 17739 2d36f6d9 17738->17739 17740 2d36f762 17739->17740 17741 2d36e813 102 API calls 17739->17741 17742 2d38f7a3 ___convertcp 5 API calls 17740->17742 17743 2d36f749 17741->17743 17744 2d36f76c 17742->17744 17745 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 17743->17745 17744->17727 17745->17740 17747 2d371b81 17746->17747 17750 2d371b86 17746->17750 17748 2d38f3b7 Mailbox 6 API calls 17747->17748 17748->17750 17749 2d371b9f 17749->17727 17750->17749 17751 2d38f3b7 Mailbox 6 API calls 17750->17751 17751->17749 17782 2d384b2a 17785 2d384a99 17782->17785 17784 2d384b35 Mailbox 17786 2d384aa5 __EH_prolog3 17785->17786 17805 2d37f924 17786->17805 17788 2d384abc 17789 2d37f924 Mailbox 6 API calls 17788->17789 17790 2d384acb 17789->17790 17791 2d37f924 Mailbox 6 API calls 17790->17791 17792 2d384ada 17791->17792 17793 2d36d44f Mailbox 67 API calls 17792->17793 17794 2d384aec 17793->17794 17795 2d36d44f Mailbox 67 API calls 17794->17795 17796 2d384af6 17795->17796 17797 2d36d44f Mailbox 67 API calls 17796->17797 17798 2d384b00 17797->17798 17799 2d36d44f Mailbox 67 API calls 17798->17799 17800 2d384b0a 17799->17800 17801 2d36d44f Mailbox 67 API calls 17800->17801 17802 2d384b14 17801->17802 17803 2d36d44f Mailbox 67 API calls 17802->17803 17804 2d384b1e std::runtime_error::runtime_error 17803->17804 17804->17784 17806 2d37f930 __EH_prolog3 17805->17806 17814 2d371ea8 17806->17814 17808 2d36f91b Mailbox 6 API calls 17811 2d37f94b 17808->17811 17809 2d37ea61 Mailbox 6 API calls 17809->17811 17810 2d371b2d Mailbox 6 API calls 17810->17811 17811->17808 17811->17809 17811->17810 17812 2d371b78 Mailbox 6 API calls 17811->17812 17813 2d37f994 Mailbox std::runtime_error::runtime_error 17811->17813 17812->17811 17813->17788 17815 2d371e90 Mailbox 6 API calls 17814->17815 17816 2d371eb9 17815->17816 17816->17811 15572 2d388610 15573 2d3885a7 6 API calls 15572->15573 15574 2d388622 15573->15574 15577 2d38847b WriteFile 15574->15577 15578 2d38849c 15577->15578 17204 2d373001 CLSIDFromProgID 17205 2d37303e 17204->17205 17206 2d37302a CoCreateInstance 17204->17206 17207 2d38f7a3 ___convertcp 5 API calls 17205->17207 17206->17205 17208 2d37304a 17207->17208 18551 2d38ee01 18554 2d38edf1 18551->18554 18553 2d38ee0e Mailbox 18557 2d3929f5 18554->18557 18556 2d38edff 18556->18553 18558 2d392a01 __locking 18557->18558 18559 2d3934be __lock 67 API calls 18558->18559 18562 2d392a08 18559->18562 18560 2d392a41 18567 2d392a5c 18560->18567 18562->18560 18565 2d38f117 __fclose_nolock 67 API calls 18562->18565 18566 2d392a38 18562->18566 18563 2d392a52 __locking 18563->18556 18564 2d38f117 __fclose_nolock 67 API calls 18564->18560 18565->18566 18566->18564 18570 2d3933e2 LeaveCriticalSection 18567->18570 18569 2d392a63 18569->18563 18570->18569 16467 2d37eb78 VariantClear 16468 2d37eb8b 16467->16468 16469 2d37eb97 16468->16469 16470 2d37eba2 SysAllocString 16468->16470 16470->16469 16471 2d37ebb2 _com_util::ConvertStringToBSTR 16470->16471 16472 2d37ebbc FindResourceA 16471->16472 16473 2d37ebd6 16472->16473 16474 2d37ebd8 LoadResource 16472->16474 16475 2d37ec07 LockResource SysAllocString 16474->16475 16476 2d37ebe5 GetLastError 16474->16476 16475->16473 16478 2d37ebf4 16475->16478 16477 2d36e813 102 API calls 16476->16477 16477->16478 16479 2d36e7d1 WriteFile 16478->16479 16480 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16478->16480 16479->16478 16480->16475 17209 2d388364 GetVersionExA 17210 2d388396 17209->17210 17220 2d388392 17209->17220 17211 2d3883b4 _memset 17210->17211 17213 2d3883a2 17210->17213 17217 2d3883ce KiUserCallbackDispatcher 17211->17217 17212 2d38f7a3 ___convertcp 5 API calls 17214 2d388410 17212->17214 17221 2d388222 LoadLibraryA 17213->17221 17219 2d3883f2 CreateFontIndirectA 17217->17219 17217->17220 17218 2d3883b2 17218->17220 17219->17220 17220->17212 17222 2d38823e GetProcAddress 17221->17222 17235 2d388237 17221->17235 17223 2d38825a GetProcAddress 17222->17223 17222->17235 17224 2d38826f GetProcAddress 17223->17224 17223->17235 17225 2d388284 GetProcAddress 17224->17225 17224->17235 17226 2d388299 LoadLibraryA 17225->17226 17225->17235 17227 2d3882aa GetProcAddress 17226->17227 17226->17235 17228 2d3882bb GetProcAddress 17227->17228 17227->17235 17229 2d3882cc GetProcAddress 17228->17229 17228->17235 17230 2d3882dd GetProcAddress 17229->17230 17229->17235 17231 2d3882ee GetProcAddress 17230->17231 17230->17235 17232 2d3882ff GetProcAddress 17231->17232 17231->17235 17233 2d388310 GetProcAddress 17232->17233 17232->17235 17234 2d388321 GetProcAddress 17233->17234 17233->17235 17234->17235 17235->17211 17235->17218 15814 2d386655 15815 2d36dc92 std::_String_base::_Xlen 95 API calls 15814->15815 15819 2d386679 15815->15819 15816 2d3866bc 15817 2d3866c3 15820 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15817->15820 15819->15816 15819->15817 15821 2d3866ae CharNextA 15819->15821 15823 2d390cf9 15819->15823 15822 2d3866d7 15820->15822 15821->15816 15821->15819 15824 2d390d19 15823->15824 15825 2d390d07 15823->15825 15828 2d390ca8 15824->15828 15825->15819 15833 2d390248 15828->15833 15831 2d390cd5 15831->15819 15834 2d39025b 15833->15834 15840 2d3902a8 15833->15840 15835 2d392592 __getptd 67 API calls 15834->15835 15836 2d390260 15835->15836 15837 2d390288 15836->15837 15848 2d39874d 15836->15848 15837->15840 15863 2d397fe3 15837->15863 15840->15831 15841 2d398da9 15840->15841 15842 2d390248 _LocaleUpdate::_LocaleUpdate 77 API calls 15841->15842 15843 2d398dbd 15842->15843 15844 2d39a629 __isleadbyte_l 77 API calls 15843->15844 15847 2d398dca 15843->15847 15845 2d398df2 15844->15845 16063 2d39b4f5 15845->16063 15847->15831 15849 2d398759 __locking 15848->15849 15850 2d392592 __getptd 67 API calls 15849->15850 15851 2d39875e 15850->15851 15852 2d39878c 15851->15852 15853 2d398770 15851->15853 15854 2d3934be __lock 67 API calls 15852->15854 15855 2d392592 __getptd 67 API calls 15853->15855 15856 2d398793 15854->15856 15858 2d398775 15855->15858 15879 2d39870f 15856->15879 15861 2d398783 __locking 15858->15861 15862 2d390d57 __amsg_exit 67 API calls 15858->15862 15861->15837 15862->15861 15864 2d397fef __locking 15863->15864 15865 2d392592 __getptd 67 API calls 15864->15865 15866 2d397ff4 15865->15866 15867 2d3934be __lock 67 API calls 15866->15867 15874 2d398006 15866->15874 15868 2d398024 15867->15868 15869 2d39806d 15868->15869 15872 2d39803b InterlockedDecrement 15868->15872 15873 2d398055 InterlockedIncrement 15868->15873 16059 2d39807e 15869->16059 15870 2d390d57 __amsg_exit 67 API calls 15875 2d398014 __locking 15870->15875 15872->15873 15876 2d398046 15872->15876 15873->15869 15874->15870 15874->15875 15875->15840 15876->15873 15877 2d38f117 __fclose_nolock 67 API calls 15876->15877 15878 2d398054 15877->15878 15878->15873 15880 2d398713 15879->15880 15881 2d398745 15879->15881 15880->15881 15890 2d3985e7 InterlockedIncrement 15880->15890 15887 2d3987b7 15881->15887 15883 2d398726 15883->15881 15902 2d398676 15883->15902 16058 2d3933e2 LeaveCriticalSection 15887->16058 15889 2d3987be 15889->15858 15891 2d398608 15890->15891 15892 2d398605 InterlockedIncrement 15890->15892 15893 2d398612 InterlockedIncrement 15891->15893 15894 2d398615 15891->15894 15892->15891 15893->15894 15895 2d39861f InterlockedIncrement 15894->15895 15896 2d398622 15894->15896 15895->15896 15897 2d39862c InterlockedIncrement 15896->15897 15898 2d39862f 15896->15898 15897->15898 15899 2d398648 InterlockedIncrement 15898->15899 15900 2d398658 InterlockedIncrement 15898->15900 15901 2d398663 InterlockedIncrement 15898->15901 15899->15898 15900->15898 15901->15883 15903 2d39870a 15902->15903 15904 2d398687 InterlockedDecrement 15902->15904 15903->15881 15916 2d39849e 15903->15916 15905 2d39869c InterlockedDecrement 15904->15905 15906 2d39869f 15904->15906 15905->15906 15907 2d3986a9 InterlockedDecrement 15906->15907 15908 2d3986ac 15906->15908 15907->15908 15909 2d3986b9 15908->15909 15910 2d3986b6 InterlockedDecrement 15908->15910 15911 2d3986c3 InterlockedDecrement 15909->15911 15913 2d3986c6 15909->15913 15910->15909 15911->15913 15912 2d3986df InterlockedDecrement 15912->15913 15913->15912 15914 2d3986fa InterlockedDecrement 15913->15914 15915 2d3986ef InterlockedDecrement 15913->15915 15914->15903 15915->15913 15917 2d398522 15916->15917 15918 2d3984b5 15916->15918 15919 2d39856f 15917->15919 15920 2d38f117 __fclose_nolock 67 API calls 15917->15920 15918->15917 15927 2d38f117 __fclose_nolock 67 API calls 15918->15927 15929 2d3984e9 15918->15929 15930 2d398596 15919->15930 15970 2d39b537 15919->15970 15922 2d398543 15920->15922 15924 2d38f117 __fclose_nolock 67 API calls 15922->15924 15931 2d398556 15924->15931 15925 2d38f117 __fclose_nolock 67 API calls 15935 2d398517 15925->15935 15926 2d3985db 15936 2d38f117 __fclose_nolock 67 API calls 15926->15936 15937 2d3984de 15927->15937 15928 2d38f117 __fclose_nolock 67 API calls 15928->15930 15932 2d38f117 __fclose_nolock 67 API calls 15929->15932 15945 2d39850a 15929->15945 15930->15926 15933 2d38f117 67 API calls __fclose_nolock 15930->15933 15934 2d38f117 __fclose_nolock 67 API calls 15931->15934 15938 2d3984ff 15932->15938 15933->15930 15939 2d398564 15934->15939 15940 2d38f117 __fclose_nolock 67 API calls 15935->15940 15941 2d3985e1 15936->15941 15946 2d39b711 15937->15946 15962 2d39b6cc 15938->15962 15944 2d38f117 __fclose_nolock 67 API calls 15939->15944 15940->15917 15941->15881 15944->15919 15945->15925 15947 2d39b71e 15946->15947 15961 2d39b79b 15946->15961 15948 2d39b72f 15947->15948 15949 2d38f117 __fclose_nolock 67 API calls 15947->15949 15950 2d39b741 15948->15950 15951 2d38f117 __fclose_nolock 67 API calls 15948->15951 15949->15948 15952 2d39b753 15950->15952 15953 2d38f117 __fclose_nolock 67 API calls 15950->15953 15951->15950 15954 2d39b765 15952->15954 15955 2d38f117 __fclose_nolock 67 API calls 15952->15955 15953->15952 15956 2d39b777 15954->15956 15957 2d38f117 __fclose_nolock 67 API calls 15954->15957 15955->15954 15958 2d38f117 __fclose_nolock 67 API calls 15956->15958 15959 2d39b789 15956->15959 15957->15956 15958->15959 15960 2d38f117 __fclose_nolock 67 API calls 15959->15960 15959->15961 15960->15961 15961->15929 15963 2d39b70d 15962->15963 15965 2d39b6d9 15962->15965 15963->15945 15964 2d39b6e9 15967 2d39b6fb 15964->15967 15968 2d38f117 __fclose_nolock 67 API calls 15964->15968 15965->15964 15966 2d38f117 __fclose_nolock 67 API calls 15965->15966 15966->15964 15967->15963 15969 2d38f117 __fclose_nolock 67 API calls 15967->15969 15968->15967 15969->15963 15971 2d39b548 15970->15971 16057 2d39858f 15970->16057 15972 2d38f117 __fclose_nolock 67 API calls 15971->15972 15973 2d39b550 15972->15973 15974 2d38f117 __fclose_nolock 67 API calls 15973->15974 15975 2d39b558 15974->15975 15976 2d38f117 __fclose_nolock 67 API calls 15975->15976 15977 2d39b560 15976->15977 15978 2d38f117 __fclose_nolock 67 API calls 15977->15978 15979 2d39b568 15978->15979 15980 2d38f117 __fclose_nolock 67 API calls 15979->15980 15981 2d39b570 15980->15981 15982 2d38f117 __fclose_nolock 67 API calls 15981->15982 15983 2d39b578 15982->15983 15984 2d38f117 __fclose_nolock 67 API calls 15983->15984 15985 2d39b57f 15984->15985 15986 2d38f117 __fclose_nolock 67 API calls 15985->15986 15987 2d39b587 15986->15987 15988 2d38f117 __fclose_nolock 67 API calls 15987->15988 15989 2d39b58f 15988->15989 15990 2d38f117 __fclose_nolock 67 API calls 15989->15990 15991 2d39b597 15990->15991 15992 2d38f117 __fclose_nolock 67 API calls 15991->15992 15993 2d39b59f 15992->15993 15994 2d38f117 __fclose_nolock 67 API calls 15993->15994 15995 2d39b5a7 15994->15995 15996 2d38f117 __fclose_nolock 67 API calls 15995->15996 15997 2d39b5af 15996->15997 15998 2d38f117 __fclose_nolock 67 API calls 15997->15998 15999 2d39b5b7 15998->15999 16000 2d38f117 __fclose_nolock 67 API calls 15999->16000 16001 2d39b5bf 16000->16001 16002 2d38f117 __fclose_nolock 67 API calls 16001->16002 16003 2d39b5c7 16002->16003 16004 2d38f117 __fclose_nolock 67 API calls 16003->16004 16005 2d39b5d2 16004->16005 16006 2d38f117 __fclose_nolock 67 API calls 16005->16006 16007 2d39b5da 16006->16007 16008 2d38f117 __fclose_nolock 67 API calls 16007->16008 16009 2d39b5e2 16008->16009 16010 2d38f117 __fclose_nolock 67 API calls 16009->16010 16011 2d39b5ea 16010->16011 16012 2d38f117 __fclose_nolock 67 API calls 16011->16012 16013 2d39b5f2 16012->16013 16014 2d38f117 __fclose_nolock 67 API calls 16013->16014 16015 2d39b5fa 16014->16015 16016 2d38f117 __fclose_nolock 67 API calls 16015->16016 16017 2d39b602 16016->16017 16018 2d38f117 __fclose_nolock 67 API calls 16017->16018 16019 2d39b60a 16018->16019 16020 2d38f117 __fclose_nolock 67 API calls 16019->16020 16021 2d39b612 16020->16021 16022 2d38f117 __fclose_nolock 67 API calls 16021->16022 16023 2d39b61a 16022->16023 16024 2d38f117 __fclose_nolock 67 API calls 16023->16024 16025 2d39b622 16024->16025 16026 2d38f117 __fclose_nolock 67 API calls 16025->16026 16027 2d39b62a 16026->16027 16028 2d38f117 __fclose_nolock 67 API calls 16027->16028 16029 2d39b632 16028->16029 16030 2d38f117 __fclose_nolock 67 API calls 16029->16030 16057->15928 16058->15889 16062 2d3933e2 LeaveCriticalSection 16059->16062 16061 2d398085 16061->15874 16062->16061 16064 2d390248 _LocaleUpdate::_LocaleUpdate 77 API calls 16063->16064 16065 2d39b508 16064->16065 16068 2d39b33b 16065->16068 16069 2d39b35c GetStringTypeW 16068->16069 16070 2d39b387 16068->16070 16072 2d39b37c GetLastError 16069->16072 16073 2d39b374 16069->16073 16071 2d39b46e 16070->16071 16070->16073 16096 2d39dd43 GetLocaleInfoA 16071->16096 16072->16070 16074 2d39b3c0 MultiByteToWideChar 16073->16074 16091 2d39b468 16073->16091 16081 2d39b3ed 16074->16081 16074->16091 16076 2d38f7a3 ___convertcp 5 API calls 16078 2d39b4f3 16076->16078 16078->15847 16079 2d39b4bf GetStringTypeA 16085 2d39b4da 16079->16085 16079->16091 16080 2d39b402 _memset ___convertcp 16084 2d39b43b MultiByteToWideChar 16080->16084 16080->16091 16081->16080 16082 2d3910ae _realloc 67 API calls 16081->16082 16082->16080 16086 2d39b451 GetStringTypeW 16084->16086 16087 2d39b462 16084->16087 16088 2d38f117 __fclose_nolock 67 API calls 16085->16088 16086->16087 16092 2d39aa62 16087->16092 16088->16091 16091->16076 16093 2d39aa6e 16092->16093 16094 2d39aa7f 16092->16094 16093->16094 16095 2d38f117 __fclose_nolock 67 API calls 16093->16095 16094->16091 16095->16094 16097 2d39dd76 16096->16097 16098 2d39dd71 16096->16098 16127 2d39058d 16097->16127 16100 2d38f7a3 ___convertcp 5 API calls 16098->16100 16101 2d39b492 16100->16101 16101->16079 16101->16091 16102 2d39dd8c 16101->16102 16103 2d39ddcc GetCPInfo 16102->16103 16107 2d39de56 16102->16107 16104 2d39de41 MultiByteToWideChar 16103->16104 16105 2d39dde3 16103->16105 16104->16107 16111 2d39ddfc ___convertcp 16104->16111 16105->16104 16108 2d39dde9 GetCPInfo 16105->16108 16106 2d38f7a3 ___convertcp 5 API calls 16109 2d39b4b3 16106->16109 16107->16106 16108->16104 16110 2d39ddf6 16108->16110 16109->16079 16109->16091 16110->16104 16110->16111 16112 2d3910ae _realloc 67 API calls 16111->16112 16114 2d39de2e _memset ___convertcp 16111->16114 16112->16114 16113 2d39de8b MultiByteToWideChar 16115 2d39dea3 16113->16115 16116 2d39dec2 16113->16116 16114->16107 16114->16113 16118 2d39deaa WideCharToMultiByte 16115->16118 16119 2d39dec7 16115->16119 16117 2d39aa62 __freea 67 API calls 16116->16117 16117->16107 16118->16116 16120 2d39ded2 WideCharToMultiByte 16119->16120 16121 2d39dee6 16119->16121 16120->16116 16120->16121 16122 2d39527b __calloc_crt 67 API calls 16121->16122 16123 2d39deee 16122->16123 16123->16116 16124 2d39def7 WideCharToMultiByte 16123->16124 16124->16116 16125 2d39df09 16124->16125 16126 2d38f117 __fclose_nolock 67 API calls 16125->16126 16126->16116 16129 2d398aa7 16127->16129 16130 2d398ac0 16129->16130 16133 2d398878 16130->16133 16134 2d390248 _LocaleUpdate::_LocaleUpdate 77 API calls 16133->16134 16136 2d39888d 16134->16136 16135 2d39889f 16137 2d392e82 __locking 67 API calls 16135->16137 16136->16135 16141 2d3988dc 16136->16141 16138 2d3988a4 16137->16138 16139 2d38f391 __locking 6 API calls 16138->16139 16144 2d3988b4 16139->16144 16140 2d398da9 __isctype_l 91 API calls 16140->16141 16141->16140 16142 2d398921 16141->16142 16143 2d392e82 __locking 67 API calls 16142->16143 16142->16144 16143->16144 17058 2d38784b LoadLibraryA 17059 2d38785e 17058->17059 17060 2d387862 GetProcAddress FreeLibrary 17058->17060 17060->17059 14787 2d37d5b4 14794 2d36f91b 14787->14794 14793 2d37d5ea Mailbox 14795 2d36f937 14794->14795 14796 2d36f932 14794->14796 14798 2d3744a2 14795->14798 14823 2d38f3b7 14796->14823 14843 2d371e90 14798->14843 14801 2d37d510 14802 2d3744a2 Mailbox 6 API calls 14801->14802 14803 2d37d521 14802->14803 14846 2d37ea61 14803->14846 14806 2d37d55d 14807 2d37ea61 Mailbox 6 API calls 14806->14807 14822 2d37d569 14807->14822 14808 2d36f91b Mailbox 6 API calls 14809 2d37d53a 14808->14809 14811 2d37ea61 Mailbox 6 API calls 14809->14811 14810 2d37d59a 14871 2d3744ba 14810->14871 14812 2d37d546 14811->14812 14812->14806 14815 2d37d54a 14812->14815 14850 2d37cee4 14815->14850 14816 2d37d55b 14816->14793 14820 2d3744a2 Mailbox 6 API calls 14820->14816 14821 2d37ea61 Mailbox 6 API calls 14821->14822 14822->14810 14822->14821 14853 2d37b4ee 14822->14853 14857 2d37c8a2 14822->14857 14826 2d38f391 14823->14826 14829 2d392305 TlsGetValue 14826->14829 14828 2d38f3a1 __invoke_watson 14830 2d39231d 14829->14830 14831 2d39233e GetModuleHandleW 14829->14831 14830->14831 14832 2d392327 TlsGetValue 14830->14832 14833 2d392359 GetProcAddress 14831->14833 14834 2d39234e 14831->14834 14836 2d392332 14832->14836 14838 2d392336 14833->14838 14839 2d390d27 14834->14839 14836->14831 14836->14838 14838->14828 14840 2d390d32 Sleep GetModuleHandleW 14839->14840 14841 2d390d50 14840->14841 14842 2d390d54 14840->14842 14841->14840 14841->14842 14842->14833 14842->14838 14844 2d36f91b Mailbox 6 API calls 14843->14844 14845 2d371ea1 14844->14845 14845->14801 14847 2d37ea71 14846->14847 14848 2d37d52a 14847->14848 14849 2d38f3b7 Mailbox 6 API calls 14847->14849 14848->14806 14848->14808 14849->14848 14874 2d37cb1a 14850->14874 14854 2d37b4f8 14853->14854 14856 2d37b4fd 14853->14856 14855 2d38f3b7 Mailbox 6 API calls 14854->14855 14855->14856 14856->14822 14859 2d37c8ae __EH_prolog3 14857->14859 14858 2d37c8e5 14861 2d37b4ee 6 API calls 14858->14861 14859->14858 14909 2d36dfed 14859->14909 14870 2d37c8ed Mailbox 14861->14870 14866 2d37bd65 67 API calls 14867 2d37caec Mailbox 14866->14867 14868 2d3744ba Mailbox 6 API calls 14867->14868 14869 2d37cb0f std::runtime_error::runtime_error 14868->14869 14869->14822 14870->14866 14872 2d36f91b Mailbox 6 API calls 14871->14872 14873 2d3744cb 14872->14873 14873->14816 14875 2d37cb53 14874->14875 14878 2d37cb2e Mailbox 14874->14878 14875->14820 14876 2d37cb1a 67 API calls 14876->14878 14878->14875 14878->14876 14879 2d37bd65 14878->14879 14882 2d37bb41 14879->14882 14881 2d37bd73 Mailbox 14881->14878 14887 2d36d44f 14882->14887 14884 2d37bb50 14885 2d36d44f Mailbox 67 API calls 14884->14885 14886 2d37bb5b 14885->14886 14886->14881 14888 2d36d45b 14887->14888 14889 2d36d479 Mailbox 14887->14889 14888->14889 14891 2d36ce91 14888->14891 14889->14884 14894 2d36cdb1 14891->14894 14897 2d38ee8e 14894->14897 14896 2d36cdcb 14896->14889 14900 2d38ee9e _realloc 14897->14900 14902 2d38eea2 _memset 14897->14902 14898 2d38eea7 14906 2d392e82 14898->14906 14900->14896 14901 2d38eeac 14903 2d38f391 __locking 6 API calls 14901->14903 14902->14898 14902->14900 14904 2d38eef1 14902->14904 14903->14900 14904->14900 14905 2d392e82 __locking 67 API calls 14904->14905 14905->14901 14907 2d392519 __getptd_noexit 67 API calls 14906->14907 14908 2d392e87 14907->14908 14908->14901 14910 2d36e001 std::runtime_error::~runtime_error 14909->14910 14919 2d36dc92 14910->14919 14913 2d36dfa2 14914 2d36df22 std::runtime_error::runtime_error 95 API calls 14913->14914 14915 2d36dfb0 14914->14915 14916 2d38ee42 14915->14916 14917 2d38ee6b 14916->14917 14918 2d38ee77 KiUserExceptionDispatcher 14916->14918 14917->14918 14918->14858 14920 2d36dc9c 14919->14920 14920->14920 14923 2d36daa3 14920->14923 14922 2d36dcae 14922->14913 14924 2d36dab3 std::_String_base::_Xlen 14923->14924 14925 2d36dab7 14924->14925 14926 2d36dad5 14924->14926 14932 2d36da14 14925->14932 14945 2d36d8ea 14926->14945 14929 2d36dad3 std::runtime_error::~runtime_error 14929->14922 14930 2d36dae1 14930->14929 14954 2d36d336 14930->14954 14933 2d36da27 14932->14933 14934 2d36da2c 14932->14934 14957 2d39e572 14933->14957 14936 2d36da42 14934->14936 14937 2d36da5a 14934->14937 14982 2d36d49a 14936->14982 14939 2d36d8ea std::runtime_error::runtime_error 95 API calls 14937->14939 14940 2d36da62 14939->14940 14943 2d36da58 std::runtime_error::~runtime_error 14940->14943 14944 2d36d336 std::runtime_error::runtime_error 67 API calls 14940->14944 14941 2d36da4c 14942 2d36d49a std::runtime_error::runtime_error 95 API calls 14941->14942 14942->14943 14943->14929 14944->14943 14946 2d36d8fe 14945->14946 14947 2d36d8f9 14945->14947 14949 2d36d903 14946->14949 14950 2d36d910 14946->14950 14997 2d39e53a 14947->14997 15027 2d36d506 14949->15027 14952 2d36d90e std::runtime_error::~runtime_error 14950->14952 15035 2d36d404 14950->15035 14952->14930 15111 2d36d087 14954->15111 14958 2d39e57e __EH_prolog3 14957->14958 14959 2d36dfed std::_String_base::_Xlen 85 API calls 14958->14959 14960 2d39e58b 14959->14960 14961 2d36dfa2 std::bad_exception::bad_exception 85 API calls 14960->14961 14962 2d39e59b 14961->14962 14963 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 14962->14963 14964 2d39e5a9 14963->14964 14965 2d39e611 RaiseException 14964->14965 14967 2d39e630 14964->14967 14969 2d39e7be 14965->14969 14966 2d39e728 14966->14969 14974 2d39e773 GetProcAddress 14966->14974 14967->14966 14968 2d39e69d LoadLibraryA 14967->14968 14967->14969 14970 2d39e6ed InterlockedExchange 14967->14970 14968->14970 14971 2d39e6ac GetLastError 14968->14971 14969->14934 14972 2d39e6fb 14970->14972 14973 2d39e721 FreeLibrary 14970->14973 14975 2d39e6cc RaiseException 14971->14975 14976 2d39e6be 14971->14976 14972->14966 14978 2d39e701 LocalAlloc 14972->14978 14973->14966 14974->14969 14977 2d39e783 GetLastError 14974->14977 14975->14969 14976->14970 14976->14975 14979 2d39e795 14977->14979 14978->14966 14980 2d39e70f 14978->14980 14979->14969 14981 2d39e7a3 RaiseException 14979->14981 14980->14966 14981->14969 14983 2d36d4a9 14982->14983 14985 2d36d4ae 14982->14985 14984 2d39e572 std::runtime_error::runtime_error 95 API calls 14983->14984 14984->14985 14987 2d36d4ef std::runtime_error::~runtime_error 14985->14987 14988 2d36d36c 14985->14988 14987->14941 14991 2d36d0bd 14988->14991 14994 2d36cee5 14991->14994 14995 2d38ef0b _memmove_s 67 API calls 14994->14995 14996 2d36cef9 14995->14996 14996->14987 14998 2d39e546 __EH_prolog3 14997->14998 14999 2d36dfed std::_String_base::_Xlen 85 API calls 14998->14999 15000 2d39e553 14999->15000 15039 2d36df57 15000->15039 15003 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15004 2d39e571 __EH_prolog3 15003->15004 15005 2d36dfed std::_String_base::_Xlen 85 API calls 15004->15005 15006 2d39e58b 15005->15006 15007 2d36dfa2 std::bad_exception::bad_exception 85 API calls 15006->15007 15008 2d39e59b 15007->15008 15009 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15008->15009 15010 2d39e5a9 15009->15010 15011 2d39e611 RaiseException 15010->15011 15012 2d39e630 15010->15012 15014 2d39e7be 15011->15014 15013 2d39e69d LoadLibraryA 15012->15013 15012->15014 15015 2d39e6ed InterlockedExchange 15012->15015 15019 2d39e70f 15012->15019 15013->15015 15016 2d39e6ac GetLastError 15013->15016 15014->14946 15017 2d39e6fb 15015->15017 15018 2d39e721 FreeLibrary 15015->15018 15021 2d39e6cc RaiseException 15016->15021 15024 2d39e6be 15016->15024 15017->15019 15023 2d39e701 LocalAlloc 15017->15023 15018->15019 15019->15014 15020 2d39e773 GetProcAddress 15019->15020 15020->15014 15022 2d39e783 GetLastError 15020->15022 15021->15014 15025 2d39e795 15022->15025 15023->15019 15024->15015 15024->15021 15025->15014 15026 2d39e7a3 RaiseException 15025->15026 15026->15014 15028 2d36d512 __EH_prolog3_catch 15027->15028 15050 2d36cfeb 15028->15050 15030 2d36d5a9 15031 2d36d404 std::runtime_error::~runtime_error 67 API calls 15030->15031 15034 2d36d5b4 std::runtime_error::~runtime_error std::runtime_error::runtime_error 15031->15034 15033 2d36d336 std::runtime_error::runtime_error 67 API calls 15033->15030 15034->14952 15036 2d36d410 15035->15036 15037 2d36d42e std::runtime_error::~runtime_error Mailbox 15035->15037 15036->15037 15108 2d36cec9 15036->15108 15037->14952 15042 2d36df22 15039->15042 15041 2d36df65 15041->15003 15043 2d36df2e __EH_prolog3 std::runtime_error::runtime_error 15042->15043 15046 2d36dc69 15043->15046 15045 2d36df4d std::runtime_error::runtime_error 15045->15041 15047 2d36dc7d std::runtime_error::~runtime_error 15046->15047 15048 2d36da14 std::runtime_error::runtime_error 95 API calls 15047->15048 15049 2d36dc8b 15048->15049 15049->15045 15051 2d36d005 15050->15051 15052 2d36cff8 15050->15052 15051->15052 15053 2d36d011 15051->15053 15060 2d38ef83 15052->15060 15072 2d36ce45 15053->15072 15058 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15059 2d36d029 15058->15059 15062 2d38ef8d 15060->15062 15063 2d36d000 15062->15063 15067 2d38efa9 std::bad_alloc::bad_alloc 15062->15067 15075 2d3910ae 15062->15075 15093 2d39322f 15062->15093 15063->15030 15063->15033 15065 2d38efcf 15099 2d36d06c 15065->15099 15067->15065 15096 2d38f9dc 15067->15096 15070 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15071 2d38efe7 15070->15071 15102 2d38f006 15072->15102 15076 2d3910c0 15075->15076 15077 2d391163 15075->15077 15080 2d3910d1 15076->15080 15084 2d39105f _realloc 66 API calls 15076->15084 15085 2d39111f RtlAllocateHeap 15076->15085 15087 2d39115b 15076->15087 15088 2d39114f 15076->15088 15089 2d39322f _realloc 6 API calls 15076->15089 15091 2d391154 15076->15091 15078 2d39322f _realloc 6 API calls 15077->15078 15079 2d391169 15078->15079 15081 2d392e82 __locking 66 API calls 15079->15081 15080->15076 15082 2d391985 __FF_MSGBANNER 66 API calls 15080->15082 15083 2d3917da __NMSG_WRITE 66 API calls 15080->15083 15086 2d390dab _doexit GetModuleHandleW GetProcAddress ExitProcess 15080->15086 15081->15087 15082->15080 15083->15080 15084->15076 15085->15076 15086->15080 15087->15062 15090 2d392e82 __locking 66 API calls 15088->15090 15089->15076 15090->15091 15092 2d392e82 __locking 66 API calls 15091->15092 15092->15087 15094 2d392305 __decode_pointer 6 API calls 15093->15094 15095 2d39323f 15094->15095 15095->15062 15097 2d38f9a0 __cinit 74 API calls 15096->15097 15098 2d38f9e9 15097->15098 15098->15065 15100 2d38f076 std::exception::exception 67 API calls 15099->15100 15101 2d36d07a 15100->15101 15101->15070 15103 2d38f01f ___convertcp 15102->15103 15107 2d36ce54 15102->15107 15104 2d3910ae _realloc 67 API calls 15103->15104 15105 2d38f02e 15104->15105 15106 2d393257 _strcpy_s 67 API calls 15105->15106 15105->15107 15106->15107 15107->15058 15109 2d38ee8e _memcpy_s 67 API calls 15108->15109 15110 2d36cedd 15109->15110 15110->15037 15112 2d36cec9 char_traits 67 API calls 15111->15112 15113 2d36d09b 15112->15113 15113->14929 15114 2d3848bb 15117 2d3844e0 15114->15117 15116 2d3848c6 Mailbox 15118 2d3844ec __EH_prolog3 15117->15118 15129 2d37a431 15118->15129 15121 2d36d44f Mailbox 67 API calls 15122 2d38450c 15121->15122 15123 2d36d44f Mailbox 67 API calls 15122->15123 15124 2d384518 15123->15124 15125 2d36d44f Mailbox 67 API calls 15124->15125 15126 2d384524 15125->15126 15127 2d36d44f Mailbox 67 API calls 15126->15127 15128 2d384530 std::runtime_error::runtime_error 15127->15128 15128->15116 15130 2d37a48f 15129->15130 15131 2d37a43a 15129->15131 15130->15121 15142 2d385e3a 15131->15142 15134 2d385e3a Mailbox WriteFile 15135 2d37a45a 15134->15135 15146 2d37a30f PostMessageA 15135->15146 15137 2d37a461 WaitForSingleObject CloseHandle 15138 2d385e3a Mailbox WriteFile 15137->15138 15139 2d37a485 15138->15139 15140 2d385e3a Mailbox WriteFile 15139->15140 15141 2d37a48d 15140->15141 15141->15130 15143 2d385e4a WriteFile 15142->15143 15144 2d37a44d 15142->15144 15143->15144 15144->15134 15146->15137 20097 2d39a2be 20098 2d39a2cf 20097->20098 20099 2d39a2ee LeaveCriticalSection 20097->20099 20098->20099 20100 2d39a2d6 20098->20100 20103 2d3933e2 LeaveCriticalSection 20100->20103 20102 2d39a2eb 20103->20102 17061 2d37a683 17062 2d37a694 17061->17062 17063 2d37a6af CreateEventA 17061->17063 17093 2d3793bf 17062->17093 17064 2d37a6c1 GetLastError 17063->17064 17065 2d37a6df 17063->17065 17068 2d36e813 102 API calls 17064->17068 17072 2d39079c 17065->17072 17067 2d37a69c 17071 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 17067->17071 17068->17067 17071->17063 17073 2d3907cc 17072->17073 17074 2d3907b0 17072->17074 17076 2d3923a0 ___set_flsgetvalue 8 API calls 17073->17076 17075 2d392e82 __locking 67 API calls 17074->17075 17077 2d3907b5 17075->17077 17078 2d3907d2 17076->17078 17079 2d38f391 __locking 6 API calls 17077->17079 17080 2d39527b __calloc_crt 67 API calls 17078->17080 17087 2d37a6fa WaitForSingleObject CloseHandle 17079->17087 17081 2d3907de 17080->17081 17082 2d390830 17081->17082 17084 2d392592 __getptd 67 API calls 17081->17084 17083 2d38f117 __fclose_nolock 67 API calls 17082->17083 17085 2d390836 17083->17085 17086 2d3907eb 17084->17086 17085->17087 17089 2d392ea8 __dosmaperr 67 API calls 17085->17089 17088 2d392432 __mtinit 67 API calls 17086->17088 17090 2d3907f4 CreateThread 17088->17090 17089->17087 17090->17087 17092 2d390827 GetLastError 17090->17092 17098 2d390719 17090->17098 17092->17082 17094 2d385e3a Mailbox WriteFile 17093->17094 17095 2d3793d4 17094->17095 17096 2d385e3a Mailbox WriteFile 17095->17096 17097 2d3793e0 17096->17097 17097->17067 17099 2d3923a0 ___set_flsgetvalue 8 API calls 17098->17099 17100 2d390724 __threadstartex@4 17099->17100 17113 2d392380 TlsGetValue 17100->17113 17103 2d39075d 17128 2d3925ac 17103->17128 17104 2d390733 __threadstartex@4 17125 2d3923d4 17104->17125 17106 2d390778 __IsNonwritableInCurrentImage 17115 2d3906d8 17106->17115 17111 2d390753 GetCurrentThreadId 17111->17106 17112 2d390746 GetLastError ExitThread 17114 2d39072f 17113->17114 17114->17103 17114->17104 17116 2d3906e4 __locking 17115->17116 17117 2d392592 __getptd 67 API calls 17116->17117 17118 2d3906e9 17117->17118 17164 2d37a619 17118->17164 17126 2d392305 __decode_pointer 6 API calls 17125->17126 17127 2d390742 17126->17127 17127->17111 17127->17112 17129 2d3925b8 __locking 17128->17129 17130 2d3925d0 17129->17130 17132 2d3926ba __locking 17129->17132 17133 2d38f117 __fclose_nolock 67 API calls 17129->17133 17131 2d3925de 17130->17131 17134 2d38f117 __fclose_nolock 67 API calls 17130->17134 17135 2d3925ec 17131->17135 17136 2d38f117 __fclose_nolock 67 API calls 17131->17136 17132->17106 17133->17130 17134->17131 17137 2d38f117 __fclose_nolock 67 API calls 17135->17137 17139 2d3925fa 17135->17139 17136->17135 17137->17139 17138 2d392616 17143 2d392624 17138->17143 17144 2d38f117 __fclose_nolock 67 API calls 17138->17144 17140 2d38f117 __fclose_nolock 67 API calls 17139->17140 17141 2d392608 17139->17141 17140->17141 17141->17138 17142 2d38f117 __fclose_nolock 67 API calls 17141->17142 17142->17138 17145 2d392635 17143->17145 17146 2d38f117 __fclose_nolock 67 API calls 17143->17146 17144->17143 17147 2d3934be __lock 67 API calls 17145->17147 17146->17145 17148 2d39263d 17147->17148 17149 2d392649 InterlockedDecrement 17148->17149 17150 2d392662 17148->17150 17149->17150 17151 2d392654 17149->17151 17196 2d3926c6 17150->17196 17151->17150 17154 2d38f117 __fclose_nolock 67 API calls 17151->17154 17154->17150 17155 2d3934be __lock 67 API calls 17156 2d392676 17155->17156 17157 2d3926a7 17156->17157 17159 2d398676 ___removelocaleref 8 API calls 17156->17159 17199 2d3926d2 17157->17199 17162 2d39268b 17159->17162 17161 2d38f117 __fclose_nolock 67 API calls 17161->17132 17162->17157 17163 2d39849e ___freetlocinfo 67 API calls 17162->17163 17163->17157 17179 2d37a5cb CreateDialogParamW 17164->17179 17167 2d37a66d KiUserCallbackDispatcher 17168 2d37a644 17167->17168 17169 2d37a67a 17167->17169 17168->17169 17170 2d37a649 IsDialogMessage 17168->17170 17172 2d39069b 17169->17172 17170->17167 17171 2d37a659 TranslateMessage DispatchMessageA 17170->17171 17171->17167 17175 2d3906a9 __IsNonwritableInCurrentImage 17172->17175 17173 2d392519 __getptd_noexit 67 API calls 17174 2d3906c3 17173->17174 17176 2d3906ce ExitThread 17174->17176 17185 2d3926db 17174->17185 17175->17173 17180 2d37a615 SetEvent 17179->17180 17181 2d37a5f3 GetLastError 17179->17181 17180->17167 17182 2d36e813 102 API calls 17181->17182 17183 2d37a602 17182->17183 17184 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 17183->17184 17184->17180 17186 2d3926e9 17185->17186 17187 2d392734 17185->17187 17190 2d3926ef TlsGetValue 17186->17190 17191 2d392712 17186->17191 17188 2d39273e TlsSetValue 17187->17188 17189 2d3906cd 17187->17189 17188->17189 17189->17176 17190->17191 17192 2d392702 TlsGetValue 17190->17192 17193 2d392305 __decode_pointer 6 API calls 17191->17193 17192->17191 17194 2d392729 17193->17194 17195 2d3925ac __freefls@4 76 API calls 17194->17195 17195->17187 17202 2d3933e2 LeaveCriticalSection 17196->17202 17198 2d39266f 17198->17155 17203 2d3933e2 LeaveCriticalSection 17199->17203 17201 2d3926b4 17201->17161 17202->17198 17203->17201 15558 2d3885f0 15563 2d3885a7 15558->15563 15564 2d3885be 15563->15564 15565 2d3885c3 15563->15565 15566 2d38f3b7 Mailbox 6 API calls 15564->15566 15567 2d3884f9 15565->15567 15566->15565 15568 2d388512 SetFilePointer 15567->15568 15571 2d38850e 15567->15571 15570 2d388539 ReadFile 15568->15570 15568->15571 15570->15571 15579 2d37a4fe 15580 2d37a50a SetWindowLongA 15579->15580 15581 2d37a569 GetWindowLongA 15579->15581 15584 2d37a528 GetDlgItem GetDlgItem SendMessageA SendMessageA SendMessageA 15580->15584 15589 2d37a565 15580->15589 15582 2d37a5bc PostQuitMessage 15581->15582 15583 2d37a57b 15581->15583 15582->15589 15585 2d37a59f 15583->15585 15586 2d37a588 15583->15586 15584->15589 15587 2d37a5ac ShowWindow 15585->15587 15585->15589 15588 2d37a594 KiUserCallbackDispatcher 15586->15588 15586->15589 15587->15589 15588->15589 15590 2d3898f1 15597 2d38906a 15590->15597 15594 2d389909 15608 2d38981a 15594->15608 15617 2d388eaa 15597->15617 15600 2d38949b 15601 2d3894a7 __EH_prolog3 15600->15601 15630 2d388ba2 15601->15630 15603 2d3894c1 15636 2d389090 15603->15636 15606 2d3889ea 67 API calls 15607 2d3894dc std::runtime_error::runtime_error 15606->15607 15607->15594 15609 2d36e7f7 101 API calls 15608->15609 15610 2d38984f 15609->15610 15613 2d38985e 15610->15613 15704 2d379399 15610->15704 15612 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15612->15613 15613->15612 15614 2d3898d1 15613->15614 15615 2d38f7a3 ___convertcp 5 API calls 15614->15615 15616 2d3898ed 15615->15616 15618 2d388ee3 15617->15618 15620 2d388ebe Mailbox 15617->15620 15618->15600 15619 2d388eaa 67 API calls 15619->15620 15620->15618 15620->15619 15622 2d388a7b 15620->15622 15625 2d3889ea 15622->15625 15624 2d388a89 Mailbox 15624->15620 15626 2d36d404 std::runtime_error::~runtime_error 67 API calls 15625->15626 15627 2d3889f9 15626->15627 15628 2d36d404 std::runtime_error::~runtime_error 67 API calls 15627->15628 15629 2d388a04 15628->15629 15629->15624 15631 2d388bae __EH_prolog3 15630->15631 15632 2d36dfed std::_String_base::_Xlen 95 API calls 15631->15632 15633 2d388bbd 15632->15633 15634 2d36dfed std::_String_base::_Xlen 95 API calls 15633->15634 15635 2d388bcc std::runtime_error::runtime_error 15634->15635 15635->15603 15637 2d3890a9 15636->15637 15638 2d3890cd 15637->15638 15652 2d3889d1 15637->15652 15639 2d36f91b Mailbox 6 API calls 15638->15639 15641 2d3890d7 15639->15641 15642 2d389123 15641->15642 15643 2d3744a2 Mailbox 6 API calls 15641->15643 15644 2d3889d1 95 API calls 15642->15644 15645 2d3890e8 15643->15645 15648 2d3890f5 15644->15648 15646 2d37ea61 Mailbox 6 API calls 15645->15646 15647 2d3890f1 15646->15647 15647->15648 15667 2d37b577 15647->15667 15650 2d389106 15648->15650 15655 2d388f16 15648->15655 15650->15606 15671 2d38895e 15652->15671 15656 2d388f22 __EH_prolog3 15655->15656 15657 2d388f58 15656->15657 15659 2d36dfed std::_String_base::_Xlen 95 API calls 15656->15659 15679 2d388bd6 15657->15679 15660 2d388f3a 15659->15660 15661 2d36df57 std::bad_exception::bad_exception 95 API calls 15660->15661 15662 2d388f4a 15661->15662 15663 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15662->15663 15663->15657 15664 2d371e90 Mailbox 6 API calls 15666 2d38905f std::runtime_error::runtime_error 15664->15666 15665 2d388f6b 15665->15664 15666->15650 15668 2d37b581 15667->15668 15670 2d37b586 15667->15670 15669 2d38f3b7 Mailbox 6 API calls 15668->15669 15669->15670 15670->15642 15672 2d38896d 15671->15672 15675 2d3793e5 15672->15675 15676 2d3793f5 15675->15676 15678 2d3793fa 15675->15678 15677 2d39e572 std::runtime_error::runtime_error 95 API calls 15676->15677 15677->15678 15678->15637 15680 2d388be2 __EH_prolog3_catch 15679->15680 15685 2d37b535 15680->15685 15683 2d388c15 std::runtime_error::runtime_error 15683->15665 15686 2d37b552 15685->15686 15687 2d37b542 15685->15687 15686->15687 15688 2d37b55e 15686->15688 15689 2d38ef83 std::runtime_error::runtime_error 75 API calls 15687->15689 15690 2d36ce45 std::bad_exception::bad_exception 67 API calls 15688->15690 15691 2d37b54d 15689->15691 15692 2d37b568 15690->15692 15691->15683 15695 2d388b6f 15691->15695 15693 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 15692->15693 15694 2d37b576 15693->15694 15698 2d388b3b 15695->15698 15697 2d388b91 15697->15683 15699 2d388b47 __EH_prolog3 15698->15699 15700 2d36dc69 std::runtime_error::runtime_error 95 API calls 15699->15700 15701 2d388b55 15700->15701 15702 2d36dc69 std::runtime_error::runtime_error 95 API calls 15701->15702 15703 2d388b65 std::runtime_error::runtime_error 15702->15703 15703->15697 15705 2d385e3a Mailbox WriteFile 15704->15705 15706 2d3793ae 15705->15706 15707 2d385e3a Mailbox WriteFile 15706->15707 15708 2d3793ba 15707->15708 15708->15613 16145 2d3897f6 16148 2d38962b 16145->16148 16147 2d389808 16149 2d389637 __EH_prolog3 16148->16149 16150 2d38964f 16149->16150 16152 2d3896a8 16149->16152 16153 2d38964c 16149->16153 16155 2d389656 std::runtime_error::runtime_error 16149->16155 16150->16155 16233 2d36f342 16150->16233 16154 2d36dfed std::_String_base::_Xlen 95 API calls 16152->16154 16153->16150 16157 2d389661 16153->16157 16158 2d3896b6 16154->16158 16155->16147 16189 2d388652 16157->16189 16161 2d36f91b Mailbox 6 API calls 16158->16161 16160 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16164 2d3897cd __EH_prolog3 16160->16164 16163 2d3896c6 16161->16163 16194 2d388a9d 16163->16194 16238 2d38959a 16164->16238 16168 2d37ea61 Mailbox 6 API calls 16169 2d3896e0 16168->16169 16170 2d36d404 std::runtime_error::~runtime_error 67 API calls 16169->16170 16172 2d3896f4 16170->16172 16171 2d3897e8 Mailbox std::runtime_error::runtime_error 16171->16147 16172->16155 16173 2d3896fe DosDateTimeToFileTime 16172->16173 16173->16155 16174 2d38971e 16173->16174 16175 2d389766 16174->16175 16176 2d36dfed std::_String_base::_Xlen 95 API calls 16174->16176 16177 2d36dfed std::_String_base::_Xlen 95 API calls 16175->16177 16178 2d38972f 16176->16178 16179 2d389774 16177->16179 16180 2d3894e4 95 API calls 16178->16180 16205 2d3894e4 16179->16205 16185 2d38973d 16180->16185 16182 2d389786 16225 2d3893f4 16182->16225 16184 2d38979e 16186 2d36d404 std::runtime_error::~runtime_error 67 API calls 16184->16186 16187 2d36d404 std::runtime_error::~runtime_error 67 API calls 16185->16187 16186->16155 16187->16175 16190 2d3885a7 6 API calls 16189->16190 16191 2d388669 16190->16191 16192 2d3885a7 6 API calls 16191->16192 16193 2d388673 16192->16193 16245 2d388a5f 16194->16245 16197 2d36f91b Mailbox 6 API calls 16198 2d388abe 16197->16198 16199 2d37ea61 Mailbox 6 API calls 16198->16199 16200 2d388aca 16199->16200 16201 2d388add 16200->16201 16202 2d3889d1 95 API calls 16200->16202 16203 2d36f91b Mailbox 6 API calls 16201->16203 16204 2d388ae3 16201->16204 16202->16201 16203->16204 16204->16168 16206 2d3894f0 __EH_prolog3 16205->16206 16207 2d388a5f 95 API calls 16206->16207 16208 2d3894fe 16207->16208 16209 2d36f91b Mailbox 6 API calls 16208->16209 16210 2d38950b 16209->16210 16211 2d37ea61 Mailbox 6 API calls 16210->16211 16212 2d389517 16211->16212 16213 2d38952a std::runtime_error::~runtime_error 16212->16213 16214 2d3889d1 95 API calls 16212->16214 16215 2d389587 16213->16215 16260 2d388b09 16213->16260 16214->16213 16254 2d38a0cf 16215->16254 16218 2d389554 16266 2d389157 16218->16266 16221 2d38958f std::runtime_error::runtime_error 16221->16182 16222 2d3889ea 67 API calls 16223 2d38957b 16222->16223 16224 2d36d404 std::runtime_error::~runtime_error 67 API calls 16223->16224 16224->16215 16226 2d389400 __EH_prolog3_catch 16225->16226 16227 2d38ef83 std::runtime_error::runtime_error 75 API calls 16226->16227 16228 2d389407 16227->16228 16231 2d38944c std::runtime_error::runtime_error 16228->16231 16305 2d3887d7 16228->16305 16231->16184 16234 2d385e3a Mailbox WriteFile 16233->16234 16235 2d36f357 16234->16235 16236 2d385e3a Mailbox WriteFile 16235->16236 16237 2d36f363 16236->16237 16237->16160 16239 2d36f91b Mailbox 6 API calls 16238->16239 16240 2d3895af 16239->16240 16241 2d3744a2 Mailbox 6 API calls 16240->16241 16242 2d3895ba 16241->16242 16431 2d3892ee 16242->16431 16244 2d3895d0 Mailbox 16244->16171 16250 2d388a06 16245->16250 16248 2d371e90 Mailbox 6 API calls 16249 2d388a74 16248->16249 16249->16197 16251 2d388a15 16250->16251 16252 2d388a36 16251->16252 16253 2d3889d1 95 API calls 16251->16253 16252->16248 16253->16251 16255 2d38a0d8 16254->16255 16256 2d38a0dd 16254->16256 16257 2d38f3b7 Mailbox 6 API calls 16255->16257 16258 2d38a0f6 16256->16258 16259 2d38f3b7 Mailbox 6 API calls 16256->16259 16257->16256 16258->16221 16259->16258 16261 2d388b15 __EH_prolog3 16260->16261 16262 2d36dc69 std::runtime_error::runtime_error 95 API calls 16261->16262 16263 2d388b22 16262->16263 16264 2d36dc69 std::runtime_error::runtime_error 95 API calls 16263->16264 16265 2d388b31 std::runtime_error::runtime_error 16264->16265 16265->16218 16267 2d38917e 16266->16267 16268 2d389166 16266->16268 16270 2d3744a2 Mailbox 6 API calls 16267->16270 16269 2d388f16 95 API calls 16268->16269 16286 2d389176 16269->16286 16271 2d389189 16270->16271 16272 2d37ea61 Mailbox 6 API calls 16271->16272 16273 2d389192 16272->16273 16274 2d3891bb 16273->16274 16275 2d389196 16273->16275 16277 2d36f91b Mailbox 6 API calls 16274->16277 16276 2d3889d1 95 API calls 16275->16276 16304 2d3891a6 16276->16304 16278 2d3891c7 16277->16278 16281 2d37ea61 Mailbox 6 API calls 16278->16281 16279 2d3892cc 16282 2d389090 95 API calls 16279->16282 16280 2d3891b0 16288 2d388f16 95 API calls 16280->16288 16283 2d3891d3 16281->16283 16282->16286 16284 2d3891da 16283->16284 16285 2d389204 16283->16285 16287 2d3889d1 95 API calls 16284->16287 16289 2d3889d1 95 API calls 16285->16289 16286->16222 16287->16304 16288->16286 16290 2d389211 16289->16290 16292 2d37b577 6 API calls 16290->16292 16297 2d389238 16290->16297 16291 2d3889d1 95 API calls 16293 2d38925f 16291->16293 16294 2d38922b 16292->16294 16293->16279 16296 2d36f91b Mailbox 6 API calls 16293->16296 16295 2d3889d1 95 API calls 16294->16295 16295->16297 16298 2d38927d 16296->16298 16297->16280 16297->16291 16299 2d37b4ee 6 API calls 16298->16299 16300 2d389285 16299->16300 16301 2d37ea61 Mailbox 6 API calls 16300->16301 16302 2d389291 16301->16302 16302->16280 16303 2d3889d1 95 API calls 16302->16303 16303->16304 16304->16279 16304->16280 16306 2d388815 _memset 16305->16306 16323 2d38ffb2 16306->16323 16308 2d388829 __cftoa_l 16309 2d36e813 102 API calls 16308->16309 16310 2d388879 CreateFileA 16308->16310 16311 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16308->16311 16332 2d389959 16308->16332 16309->16308 16313 2d38889a GetLastError 16310->16313 16314 2d3888a3 SetFileTime 16310->16314 16311->16308 16313->16308 16315 2d38f7a3 ___convertcp 5 API calls 16314->16315 16316 2d3888c6 16315->16316 16317 2d38c0bd 16316->16317 16318 2d38c0ce 16317->16318 16319 2d38c0da 16318->16319 16346 2d38b2df 16318->16346 16319->16231 16324 2d38ffc4 16323->16324 16326 2d38ffcd 16324->16326 16328 2d38ffc8 16324->16328 16330 2d39000e 16324->16330 16325 2d392e82 __locking 67 API calls 16327 2d38ffe4 16325->16327 16326->16308 16329 2d38f391 __locking 6 API calls 16327->16329 16328->16325 16328->16326 16329->16326 16330->16326 16331 2d392e82 __locking 67 API calls 16330->16331 16331->16327 16333 2d38997b 16332->16333 16333->16333 16334 2d38998d CreateDirectoryA 16333->16334 16335 2d389a41 16333->16335 16334->16335 16336 2d3899a0 GetLastError 16334->16336 16337 2d38f7a3 ___convertcp 5 API calls 16335->16337 16336->16335 16341 2d3899b7 __cftoa_l 16336->16341 16338 2d389a4e 16337->16338 16338->16310 16339 2d38ffb2 __NMSG_WRITE 67 API calls 16339->16341 16340 2d36e813 102 API calls 16340->16341 16341->16339 16341->16340 16342 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16341->16342 16343 2d389959 103 API calls 16341->16343 16342->16341 16344 2d389a29 CreateDirectoryA 16343->16344 16344->16335 16345 2d389a37 GetLastError 16344->16345 16345->16335 16345->16341 16347 2d38b2f4 16346->16347 16348 2d38f3b7 Mailbox 6 API calls 16347->16348 16349 2d38b303 16347->16349 16348->16349 16350 2d38bec6 16349->16350 16351 2d38bee3 16350->16351 16357 2d38bedf 16350->16357 16352 2d38b2df 6 API calls 16351->16352 16353 2d38beed 16352->16353 16362 2d38b101 16353->16362 16356 2d38bf0d 16358 2d38b2df 6 API calls 16356->16358 16366 2d38bbc5 16357->16366 16359 2d38bf19 16358->16359 16384 2d3889a4 16359->16384 16363 2d38b111 16362->16363 16364 2d38b11a 16363->16364 16365 2d38f3b7 Mailbox 6 API calls 16363->16365 16364->16357 16365->16364 16367 2d38bbd2 16366->16367 16368 2d38bc01 16367->16368 16380 2d38bc75 Mailbox 16367->16380 16387 2d38b6b2 16367->16387 16370 2d38bca4 16368->16370 16375 2d38bc0c 16368->16375 16371 2d38bd01 16370->16371 16372 2d38bcb2 16370->16372 16374 2d38b4af 67 API calls 16371->16374 16373 2d38b4af 67 API calls 16372->16373 16373->16380 16376 2d38bd1b 16374->16376 16395 2d388751 16375->16395 16408 2d388911 16376->16408 16379 2d38bc33 16405 2d38b4af 16379->16405 16380->16356 16383 2d38b4af 67 API calls 16383->16380 16425 2d388704 16384->16425 16388 2d38b6be __EH_prolog3 16387->16388 16389 2d36dfed std::_String_base::_Xlen 95 API calls 16388->16389 16390 2d38b6cb 16389->16390 16391 2d36df57 std::bad_exception::bad_exception 95 API calls 16390->16391 16392 2d38b6db 16391->16392 16393 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16392->16393 16394 2d38b6e9 16393->16394 16396 2d388770 16395->16396 16397 2d38875e 16395->16397 16396->16397 16398 2d38877c 16396->16398 16399 2d38ef83 std::runtime_error::runtime_error 75 API calls 16397->16399 16400 2d36ce45 std::bad_exception::bad_exception 67 API calls 16398->16400 16401 2d38876b 16399->16401 16402 2d388786 16400->16402 16401->16379 16403 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16402->16403 16404 2d388794 16403->16404 16411 2d38b3c3 16405->16411 16418 2d38b3ea 16408->16418 16414 2d38b22a 16411->16414 16415 2d38b251 16414->16415 16416 2d38b246 16414->16416 16415->16383 16417 2d38ef0b _memmove_s 67 API calls 16416->16417 16417->16415 16421 2d38b25b 16418->16421 16422 2d388933 16421->16422 16423 2d38b276 16421->16423 16422->16380 16424 2d38ef0b _memmove_s 67 API calls 16423->16424 16424->16422 16426 2d388711 16425->16426 16429 2d388716 16425->16429 16427 2d38f3b7 Mailbox 6 API calls 16426->16427 16427->16429 16428 2d38f3b7 Mailbox 6 API calls 16430 2d388746 16428->16430 16429->16428 16429->16430 16430->16319 16432 2d3744a2 Mailbox 6 API calls 16431->16432 16433 2d3892ff 16432->16433 16434 2d37ea61 Mailbox 6 API calls 16433->16434 16435 2d389308 16434->16435 16436 2d38933b 16435->16436 16437 2d36f91b Mailbox 6 API calls 16435->16437 16438 2d37ea61 Mailbox 6 API calls 16436->16438 16439 2d389318 16437->16439 16447 2d389347 16438->16447 16440 2d37ea61 Mailbox 6 API calls 16439->16440 16442 2d389324 16440->16442 16441 2d389378 16443 2d3744ba Mailbox 6 API calls 16441->16443 16442->16436 16444 2d389328 16442->16444 16445 2d389339 16443->16445 16448 2d38906a 67 API calls 16444->16448 16445->16244 16446 2d37b4ee 6 API calls 16446->16447 16447->16441 16447->16446 16452 2d37ea61 Mailbox 6 API calls 16447->16452 16453 2d388c32 16447->16453 16450 2d38932f 16448->16450 16451 2d3744a2 Mailbox 6 API calls 16450->16451 16451->16445 16452->16447 16454 2d388c3e __EH_prolog3 16453->16454 16455 2d388c75 16454->16455 16456 2d36dfed std::_String_base::_Xlen 95 API calls 16454->16456 16457 2d37b4ee 6 API calls 16455->16457 16458 2d388c57 16456->16458 16462 2d388c7d Mailbox 16457->16462 16459 2d36dfa2 std::bad_exception::bad_exception 95 API calls 16458->16459 16460 2d388c67 16459->16460 16461 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16460->16461 16461->16455 16463 2d388a7b 67 API calls 16462->16463 16464 2d388e7c Mailbox 16463->16464 16465 2d3744ba Mailbox 6 API calls 16464->16465 16466 2d388e9f std::runtime_error::runtime_error 16465->16466 16466->16447 16481 2d382ff7 16528 2d38fe39 16481->16528 16483 2d383029 GetVersionExA 16484 2d38308e 16483->16484 16485 2d383045 GetVersionExA 16483->16485 16530 2d36e7b5 16484->16530 16486 2d38305c GetLastError 16485->16486 16487 2d383087 16485->16487 16489 2d36e813 102 API calls 16486->16489 16487->16484 16491 2d38306e 16489->16491 16493 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16491->16493 16493->16487 16529 2d38fe45 __VEC_memzero 16528->16529 16529->16483 16631 2d38fc26 16530->16631 16533 2d381a56 16534 2d381a65 __EH_prolog3 16533->16534 16535 2d385e3a Mailbox WriteFile 16534->16535 16536 2d381a78 16535->16536 16679 2d36d3e8 16536->16679 16539 2d385e3a Mailbox WriteFile 16540 2d381a93 16539->16540 16541 2d381ab0 16540->16541 16542 2d38f117 __fclose_nolock 67 API calls 16540->16542 16543 2d385e3a Mailbox WriteFile 16541->16543 16542->16541 16544 2d381abd 16543->16544 16545 2d36d3e8 79 API calls 16544->16545 16546 2d381acb 16545->16546 16547 2d385e3a Mailbox WriteFile 16546->16547 16548 2d381adb 16547->16548 16549 2d381af8 16548->16549 16550 2d38f117 __fclose_nolock 67 API calls 16548->16550 16551 2d385e3a Mailbox WriteFile 16549->16551 16550->16549 16552 2d381b05 16551->16552 16553 2d385e3a Mailbox WriteFile 16552->16553 16554 2d381b12 16553->16554 16682 2d36eb5d 16554->16682 16559 2d36d44f Mailbox 67 API calls 16560 2d381b49 16559->16560 16561 2d36f91b Mailbox 6 API calls 16560->16561 16562 2d381b56 16561->16562 16563 2d37ea61 Mailbox 6 API calls 16562->16563 16564 2d381b62 16563->16564 16565 2d381be5 16564->16565 16566 2d385e3a Mailbox WriteFile 16564->16566 16567 2d36eb5d 95 API calls 16565->16567 16569 2d381b72 16566->16569 16568 2d381bf3 16567->16568 16570 2d36eb5d 95 API calls 16568->16570 16571 2d36d3e8 79 API calls 16569->16571 16573 2d381c0a 16570->16573 16572 2d381b80 16571->16572 16574 2d385e3a Mailbox WriteFile 16572->16574 16697 2d37bce2 16573->16697 16576 2d381b90 16574->16576 16578 2d381bad 16576->16578 16580 2d38f117 __fclose_nolock 67 API calls 16576->16580 16577 2d381c1b 16703 2d37bd14 16577->16703 16582 2d385e3a Mailbox WriteFile 16578->16582 16580->16578 16581 2d381c2b 16709 2d37ce1d 16581->16709 16584 2d381bba 16582->16584 16586 2d385e3a Mailbox WriteFile 16584->16586 16588 2d381bc2 16586->16588 16587 2d37bb41 67 API calls 16589 2d381c4c 16587->16589 16725 2d37eec5 16588->16725 16591 2d37bb41 67 API calls 16589->16591 16593 2d381c57 16591->16593 16592 2d381bd2 16594 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16592->16594 16595 2d36d44f Mailbox 67 API calls 16593->16595 16594->16565 16596 2d381c66 16595->16596 16634 2d38fb1a 16631->16634 16635 2d38fb47 16634->16635 16636 2d38fb27 16634->16636 16639 2d38fb55 16635->16639 16641 2d38fb7c 16635->16641 16637 2d392e82 __locking 67 API calls 16636->16637 16638 2d38fb2c 16637->16638 16640 2d38f391 __locking 6 API calls 16638->16640 16642 2d392e82 __locking 67 API calls 16639->16642 16644 2d36e7cc 16639->16644 16640->16644 16643 2d392e82 __locking 67 API calls 16641->16643 16663 2d38fb71 16642->16663 16645 2d38fb81 16643->16645 16644->16533 16646 2d38fbbc 16645->16646 16647 2d38fb8f 16645->16647 16650 2d38fa22 __vswprintf_helper 101 API calls 16646->16650 16664 2d38fa22 16647->16664 16648 2d38f391 __locking 6 API calls 16648->16644 16652 2d38fbca 16650->16652 16654 2d38fbf2 16652->16654 16655 2d38fbdf 16652->16655 16653 2d38fba9 16656 2d392e82 __locking 67 API calls 16653->16656 16654->16644 16661 2d392e82 __locking 67 API calls 16654->16661 16657 2d392e82 __locking 67 API calls 16655->16657 16658 2d38fbae 16656->16658 16659 2d38fbe4 16657->16659 16658->16644 16660 2d392e82 __locking 67 API calls 16658->16660 16659->16644 16662 2d392e82 __locking 67 API calls 16659->16662 16660->16644 16661->16663 16662->16644 16663->16648 16665 2d38fa52 16664->16665 16666 2d38fa32 16664->16666 16669 2d38fa62 16665->16669 16675 2d38fa82 16665->16675 16667 2d392e82 __locking 67 API calls 16666->16667 16668 2d38fa37 16667->16668 16670 2d38f391 __locking 6 API calls 16668->16670 16671 2d392e82 __locking 67 API calls 16669->16671 16674 2d38fa47 16670->16674 16672 2d38fa67 16671->16672 16673 2d38f391 __locking 6 API calls 16672->16673 16673->16674 16674->16653 16674->16654 16675->16674 16676 2d38fac9 16675->16676 16677 2d395315 __flsbuf 101 API calls 16675->16677 16676->16674 16678 2d395315 __flsbuf 101 API calls 16676->16678 16677->16676 16678->16674 16747 2d36d1fd 16679->16747 16683 2d36eb71 Mailbox 16682->16683 16684 2d36e012 95 API calls 16683->16684 16685 2d36eb7b 16684->16685 16686 2d37f9f1 16685->16686 16875 2d37f611 16686->16875 16689 2d36f91b Mailbox 6 API calls 16690 2d37fa12 16689->16690 16691 2d37ea61 Mailbox 6 API calls 16690->16691 16692 2d37fa1e 16691->16692 16693 2d37fa31 16692->16693 16880 2d36d895 16692->16880 16695 2d36f91b Mailbox 6 API calls 16693->16695 16696 2d37fa37 16693->16696 16695->16696 16696->16559 16698 2d37bcee __EH_prolog3 16697->16698 16895 2d36dc23 16698->16895 16701 2d36dc23 95 API calls 16702 2d37bd0a std::runtime_error::runtime_error 16701->16702 16702->16577 16704 2d37bd20 __EH_prolog3 16703->16704 16705 2d36dc23 95 API calls 16704->16705 16706 2d37bd2e 16705->16706 16707 2d36dc23 95 API calls 16706->16707 16708 2d37bd3e std::runtime_error::runtime_error 16707->16708 16708->16581 16710 2d37ce36 16709->16710 16711 2d37ce5a 16710->16711 16713 2d36d895 95 API calls 16710->16713 16712 2d36f91b Mailbox 6 API calls 16711->16712 16714 2d37ce64 16712->16714 16713->16710 16715 2d37ceb0 16714->16715 16717 2d3744a2 Mailbox 6 API calls 16714->16717 16716 2d36d895 95 API calls 16715->16716 16722 2d37ce82 16716->16722 16718 2d37ce75 16717->16718 16720 2d37ea61 Mailbox 6 API calls 16718->16720 16719 2d37ce93 16719->16587 16721 2d37ce7e 16720->16721 16721->16722 16724 2d37b577 6 API calls 16721->16724 16722->16719 16899 2d37c74e 16722->16899 16724->16715 16726 2d37eed4 __EH_prolog3 16725->16726 16727 2d385e3a Mailbox WriteFile 16726->16727 16728 2d37eee7 16727->16728 16729 2d36d3e8 79 API calls 16728->16729 16730 2d37eef5 16729->16730 16731 2d385e3a Mailbox WriteFile 16730->16731 16732 2d37ef02 16731->16732 16733 2d37ef1f 16732->16733 16734 2d38f117 __fclose_nolock 67 API calls 16732->16734 16735 2d385e3a Mailbox WriteFile 16733->16735 16734->16733 16736 2d37ef2c 16735->16736 16737 2d36d3e8 79 API calls 16736->16737 16738 2d37ef3a 16737->16738 16739 2d385e3a Mailbox WriteFile 16738->16739 16740 2d37ef4a 16739->16740 16741 2d37ef67 16740->16741 16742 2d38f117 __fclose_nolock 67 API calls 16740->16742 16743 2d385e3a Mailbox WriteFile 16741->16743 16742->16741 16744 2d37ef74 16743->16744 16745 2d385e3a Mailbox WriteFile 16744->16745 16746 2d37ef80 std::runtime_error::runtime_error 16745->16746 16746->16592 16748 2d36d216 lstrlenW 16747->16748 16749 2d36d20e 16747->16749 16758 2d36cf63 16748->16758 16749->16539 16752 2d36d259 GetLastError 16753 2d36d264 WideCharToMultiByte 16752->16753 16754 2d36d2a9 16752->16754 16755 2d36cf63 73 API calls 16753->16755 16754->16749 16764 2d36cd64 GetLastError 16754->16764 16756 2d36d28e WideCharToMultiByte 16755->16756 16756->16754 16759 2d36cf6f 16758->16759 16762 2d38f117 __fclose_nolock 67 API calls 16759->16762 16763 2d36cfb9 WideCharToMultiByte 16759->16763 16766 2d38f1e5 16759->16766 16777 2d38f1a5 16759->16777 16762->16759 16763->16749 16763->16752 16765 2d36cd6e 16764->16765 16767 2d38f21c 16766->16767 16768 2d38f1f4 16766->16768 16769 2d38f231 16767->16769 16784 2d3942ee 16767->16784 16768->16767 16770 2d38f200 16768->16770 16797 2d3940d3 16769->16797 16771 2d392e82 __locking 67 API calls 16770->16771 16774 2d38f205 16771->16774 16775 2d38f391 __locking 6 API calls 16774->16775 16776 2d38f215 _memset 16775->16776 16776->16759 16858 2d393fb5 16777->16858 16779 2d38f1bf 16780 2d38f1db 16779->16780 16781 2d392e82 __locking 67 API calls 16779->16781 16780->16759 16782 2d38f1d2 16781->16782 16782->16780 16783 2d392e82 __locking 67 API calls 16782->16783 16783->16780 16785 2d3942fa __locking 16784->16785 16786 2d39430a 16785->16786 16787 2d394327 16785->16787 16789 2d392e82 __locking 67 API calls 16786->16789 16788 2d394368 HeapSize 16787->16788 16790 2d3934be __lock 67 API calls 16787->16790 16793 2d39431f __locking 16788->16793 16791 2d39430f 16789->16791 16794 2d394337 ___sbh_find_block 16790->16794 16792 2d38f391 __locking 6 API calls 16791->16792 16792->16793 16793->16769 16833 2d394388 16794->16833 16798 2d3940df __locking 16797->16798 16799 2d3940f4 16798->16799 16800 2d3940e6 16798->16800 16802 2d3940fb 16799->16802 16803 2d394107 16799->16803 16801 2d3910ae _realloc 67 API calls 16800->16801 16818 2d3940ee __locking _realloc 16801->16818 16804 2d38f117 __fclose_nolock 67 API calls 16802->16804 16810 2d394279 16803->16810 16826 2d394114 _realloc ___sbh_resize_block ___sbh_find_block 16803->16826 16804->16818 16805 2d3942ac 16806 2d39322f _realloc 6 API calls 16805->16806 16809 2d3942b2 16806->16809 16807 2d3934be __lock 67 API calls 16807->16826 16808 2d39427e HeapReAlloc 16808->16810 16808->16818 16811 2d392e82 __locking 67 API calls 16809->16811 16810->16805 16810->16808 16812 2d3942d0 16810->16812 16813 2d39322f _realloc 6 API calls 16810->16813 16815 2d3942c6 16810->16815 16811->16818 16814 2d392e82 __locking 67 API calls 16812->16814 16812->16818 16813->16810 16816 2d3942d9 GetLastError 16814->16816 16819 2d392e82 __locking 67 API calls 16815->16819 16816->16818 16818->16776 16821 2d394247 16819->16821 16820 2d39419f HeapAlloc 16820->16826 16821->16818 16823 2d39424c GetLastError 16821->16823 16822 2d3941f4 HeapReAlloc 16822->16826 16823->16818 16825 2d39425f 16825->16818 16829 2d392e82 __locking 67 API calls 16825->16829 16826->16805 16826->16807 16826->16818 16826->16820 16826->16822 16826->16825 16827 2d39322f _realloc 6 API calls 16826->16827 16828 2d393521 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 16826->16828 16830 2d394242 16826->16830 16837 2d393cd0 16826->16837 16843 2d394217 16826->16843 16827->16826 16828->16826 16831 2d39426c 16829->16831 16832 2d392e82 __locking 67 API calls 16830->16832 16831->16816 16831->16818 16832->16821 16836 2d3933e2 LeaveCriticalSection 16833->16836 16835 2d394363 16835->16788 16835->16793 16836->16835 16838 2d393cfe 16837->16838 16839 2d393da0 16838->16839 16840 2d393d97 16838->16840 16846 2d393837 16838->16846 16839->16826 16840->16839 16853 2d3938e7 16840->16853 16857 2d3933e2 LeaveCriticalSection 16843->16857 16845 2d39421e 16845->16826 16847 2d39384a HeapReAlloc 16846->16847 16848 2d39387e HeapAlloc 16846->16848 16849 2d39386c 16847->16849 16852 2d393868 16847->16852 16850 2d3938a1 VirtualAlloc 16848->16850 16848->16852 16849->16848 16851 2d3938bb HeapFree 16850->16851 16850->16852 16851->16852 16852->16840 16854 2d3938fe VirtualAlloc 16853->16854 16856 2d393945 16854->16856 16856->16839 16857->16845 16859 2d393fc1 __locking 16858->16859 16860 2d393fd9 16859->16860 16870 2d393ff8 _memset 16859->16870 16861 2d392e82 __locking 66 API calls 16860->16861 16862 2d393fde 16861->16862 16863 2d38f391 __locking 6 API calls 16862->16863 16865 2d393fee __locking 16863->16865 16864 2d39406a HeapAlloc 16864->16870 16865->16779 16866 2d39322f _realloc 6 API calls 16866->16870 16867 2d3934be __lock 66 API calls 16867->16870 16868 2d393cd0 ___sbh_alloc_block 5 API calls 16868->16870 16870->16864 16870->16865 16870->16866 16870->16867 16870->16868 16871 2d3940b1 16870->16871 16874 2d3933e2 LeaveCriticalSection 16871->16874 16873 2d3940b8 16873->16870 16874->16873 16883 2d37f278 16875->16883 16878 2d371e90 Mailbox 6 API calls 16879 2d37f626 16878->16879 16879->16689 16887 2d36d3a2 16880->16887 16886 2d37f287 16883->16886 16884 2d37f2a8 16884->16878 16885 2d36d895 95 API calls 16885->16886 16886->16884 16886->16885 16888 2d36d3b1 16887->16888 16891 2d36d138 16888->16891 16890 2d36d3c5 16890->16693 16892 2d36d148 16891->16892 16894 2d36d14d 16891->16894 16893 2d39e572 std::runtime_error::runtime_error 95 API calls 16892->16893 16893->16894 16894->16890 16896 2d36dc37 Mailbox 16895->16896 16897 2d36db12 95 API calls 16896->16897 16898 2d36dc45 16897->16898 16898->16701 16900 2d37c75a __EH_prolog3 16899->16900 16901 2d37c790 16900->16901 16903 2d36dfed std::_String_base::_Xlen 95 API calls 16900->16903 16911 2d37bdef 16901->16911 16904 2d37c772 16903->16904 16905 2d36df57 std::bad_exception::bad_exception 95 API calls 16904->16905 16906 2d37c782 16905->16906 16907 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 16906->16907 16907->16901 16912 2d37bdfb __EH_prolog3_catch 16911->16912 16913 2d37b535 75 API calls 16912->16913 16914 2d37be04 16913->16914 16915 2d37be2e std::runtime_error::runtime_error 16914->16915 16917 2d37bd87 16914->16917 21177 2d372ee9 21178 2d372ef7 21177->21178 21185 2d372f20 21177->21185 21179 2d372f26 21178->21179 21180 2d372f03 21178->21180 21178->21185 21186 2d37a321 GetDlgItem PostMessageA 21179->21186 21181 2d385e3a Mailbox WriteFile 21180->21181 21182 2d372f14 21181->21182 21183 2d385e3a Mailbox WriteFile 21182->21183 21183->21185 21186->21185 17049 2d37a3d8 GetDlgItem GetDlgItem 17050 2d37a3ff SetWindowTextW 17049->17050 17051 2d37a409 17049->17051 17050->17051 17052 2d37a40f SetWindowTextW 17051->17052 17053 2d37a419 17051->17053 17052->17053 17054 2d37a41f SetWindowTextW 17053->17054 17055 2d37a42a 17053->17055 17054->17055 17056 2d3928d6 HeapCreate 17057 2d3928fa 17056->17057 17236 2d36f5cb GetTempPathW 17237 2d36f607 GetLastError 17236->17237 17241 2d36f60d 17236->17241 17237->17241 17239 2d36e813 102 API calls 17239->17241 17240 2d36f658 CreateFileW 17242 2d36f676 GetLastError 17240->17242 17243 2d36f697 CloseHandle 17240->17243 17241->17239 17241->17240 17245 2d38ee42 __CxxThrowException@8 KiUserExceptionDispatcher 17241->17245 17247 2d38ff91 17241->17247 17242->17241 17244 2d38f7a3 ___convertcp 5 API calls 17243->17244 17246 2d36f6ab 17244->17246 17245->17241 17248 2d38fb1a __vsnwprintf_s_l 101 API calls 17247->17248 17249 2d38ffad 17248->17249 17249->17241 17250 2d390fc7 17253 2d390e9b 17250->17253 17252 2d390fd8 17254 2d390ea7 __locking 17253->17254 17255 2d3934be __lock 67 API calls 17254->17255 17256 2d390eae 17255->17256 17257 2d390f77 __initterm 17256->17257 17258 2d390eda 17256->17258 17272 2d390fb2 17257->17272 17260 2d392305 __decode_pointer 6 API calls 17258->17260 17262 2d390ee5 17260->17262 17264 2d390f67 __initterm 17262->17264 17266 2d392305 __decode_pointer 6 API calls 17262->17266 17263 2d390faf __locking 17263->17252 17264->17257 17271 2d390efa 17266->17271 17267 2d390fa6 17277 2d390dab 17267->17277 17269 2d392305 6 API calls __decode_pointer 17269->17271 17270 2d3922fc 6 API calls __init_pointers 17270->17271 17271->17264 17271->17269 17271->17270 17273 2d390fb8 17272->17273 17274 2d390f93 17272->17274 17280 2d3933e2 LeaveCriticalSection 17273->17280 17274->17263 17276 2d3933e2 LeaveCriticalSection 17274->17276 17276->17267 17281 2d390d80 GetModuleHandleW 17277->17281 17280->17274 17282 2d390da9 ExitProcess 17281->17282 17283 2d390d94 GetProcAddress 17281->17283 17283->17282 17284 2d390da4 17283->17284 17284->17282

                              Executed Functions

                              Function 2D382FF7 Relevance: 49.2, APIs: 8, Strings: 20, Instructions: 186COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • _memset.LIBCMT ref: 2D383024
                              • GetVersionExA.KERNEL32(?), ref: 2D38303F
                              • GetVersionExA.KERNEL32(?), ref: 2D383056
                              • GetLastError.KERNEL32 ref: 2D38305C
                              • __CxxThrowException@8.LIBCMT ref: 2D383082
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • GetSystemDefaultLangID.KERNEL32(SYS.WIN.SPLEVEL,NONE,SYS.WIN.PLATFORM,WIN9X,SYS.WIN.VER,?), ref: 2D383133
                              • GetUserDefaultLangID.KERNEL32(SYS.WIN.SYSTEMLCID,?), ref: 2D38315C
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,SYS.WIN.ARCHITECTURE,X86), ref: 2D3831F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DefaultFileLangUserVersion$DispatcherErrorExceptionException@8LastModuleNameSystemThrowWrite_memset
                              • String ID: IA64$NONE$OPatchInstall: Failed to get the path to the EXE$SYS.MSI.VER$SYS.WIN.ARCHITECTURE$SYS.WIN.PACKAGEPATH$SYS.WIN.PLATFORM$SYS.WIN.SHELLVER$SYS.WIN.SPLEVEL$SYS.WIN.SYSTEMLCID$SYS.WIN.USERADMIN$SYS.WIN.USERLCID$SYS.WIN.VER$UNKNOWN$WIN9X$WINNT$X64$X86$msi.dll$shell32.dll
                              • API String ID: 2665424290-1166132504
                              • Opcode ID: e1f0cfb3e53f3d21f0f829c7758834faf927eed17930df9c3d39bf48c0597984
                              • Instruction ID: a65ca9d9c26dc989b318a61ed7331dd678de1bd219e275cffd9d6aec358e92e5
                              • Opcode Fuzzy Hash: e1f0cfb3e53f3d21f0f829c7758834faf927eed17930df9c3d39bf48c0597984
                              • Instruction Fuzzy Hash: 8351F6B1E09114ABDF219BA0CC85FBD72BDEB55601F448091E615F229FDB389E00C7B9
                              Function 2D37EC30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • FindResourceA.KERNEL32(00000000,SCRIPT,0000000A), ref: 2D37EC3F
                              • GetLastError.KERNEL32 ref: 2D37EC49
                              • __CxxThrowException@8.LIBCMT ref: 2D37EC66
                              • LoadResource.KERNEL32(00000000,00000000), ref: 2D37EC6E
                              • LockResource.KERNEL32(00000000), ref: 2D37EC79
                              • SysAllocString.OLEAUT32(00000000), ref: 2D37EC80
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Resource$AllocErrorException@8FindLastLoadLockStringThrow
                              • String ID: SCRIPT
                              • API String ID: 2070536136-3967369404
                              • Opcode ID: 3762740e90cb996da5b84c989ffddbef5a49436bef135e44635532e9b194a8da
                              • Instruction ID: 6460f17c1dce5f15d3f650a47b8ee68075d4b520ee29a11c4f05891857767df4
                              • Opcode Fuzzy Hash: 3762740e90cb996da5b84c989ffddbef5a49436bef135e44635532e9b194a8da
                              • Instruction Fuzzy Hash: 2AF04439E08646BFD7119BB0C889FAE7BBCEF14641F004490E602F6255DB78D604D7A9
                              Function 2D38784B Relevance: 4.5, APIs: 3, Instructions: 23libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNELBASE(?), ref: 2D387852
                              • GetProcAddress.KERNEL32(00000000,?), ref: 2D387867
                              • FreeLibrary.KERNELBASE(00000000), ref: 2D387873
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID:
                              • API String ID: 145871493-0
                              • Opcode ID: 3280828a9c04f1ab7b5e2dbf7ee0e43613ac086e27b0c97fe5bd5c5c7072e751
                              • Instruction ID: b3218e4996e4f835ade1271b34f35f9e2b3ebb9846f150be1d05934c7f73ab9e
                              • Opcode Fuzzy Hash: 3280828a9c04f1ab7b5e2dbf7ee0e43613ac086e27b0c97fe5bd5c5c7072e751
                              • Instruction Fuzzy Hash: 2EE0EC36841129BB5B122B61DC09DDB7B6DEE06AA37008152FD4596211C62ACD54A6E8
                              Function 2D373001 Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON
                              Download Yara Rule
                              APIs
                              • CLSIDFromProgID.COMBASE(?,?), ref: 2D373020
                              • CoCreateInstance.OLE32(?,?,?,2D362FE0), ref: 2D373038
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateFromInstanceProg
                              • String ID:
                              • API String ID: 2151042543-0
                              • Opcode ID: 743448ba8356d50f916bbd55c849f01eabeace770d0d2d0f5186ddebf23bcc33
                              • Instruction ID: 67df1f8cf104322cb4c6ef1fbbb10655909f2ce5f8c8e372120efb3f8ed0ac28
                              • Opcode Fuzzy Hash: 743448ba8356d50f916bbd55c849f01eabeace770d0d2d0f5186ddebf23bcc33
                              • Instruction Fuzzy Hash: 4BF08C32A00109BB8B01DFA9CD49DDFBBBCEB59650B01401EB602F3200DA74EA00CBB9
                              Function 2D37EB78 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • VariantClear.OLEAUT32 ref: 2D37EB7F
                              • SysAllocString.OLEAUT32(00000000), ref: 2D37EBA5
                              • FindResourceA.KERNEL32(00000000,MANIFEST,0000000A), ref: 2D37EBCC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AllocClearFindResourceStringVariant
                              • String ID: MANIFEST
                              • API String ID: 317432608-1623847948
                              • Opcode ID: 300fba7d6ad704aa57e50524c4c03c5efc318b8c433de7145ec21a4096e58469
                              • Instruction ID: b0b385cbbc818ea6a2e37779a500451ec035aad67e07145499eaa3600ddf50da
                              • Opcode Fuzzy Hash: 300fba7d6ad704aa57e50524c4c03c5efc318b8c433de7145ec21a4096e58469
                              • Instruction Fuzzy Hash: 5511D33590460ABBE7119BB0CC49BAA7BFCEF10606F008465F606FA201EB789604C7A8
                              Function 2D37A4FE Relevance: 15.1, APIs: 10, Instructions: 79windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • SetWindowLongA.USER32(?,00000008,?), ref: 2D37A518
                              • GetDlgItem.USER32(?,000003E8), ref: 2D37A535
                              • GetDlgItem.USER32(?,00000002), ref: 2D37A53D
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37A54E
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37A558
                              • SendMessageA.USER32(00000110,00000030,0E0A0D77,00000001), ref: 2D37A562
                              • GetWindowLongA.USER32(?,00000008), ref: 2D37A56E
                              • KiUserCallbackDispatcher.NTDLL(?), ref: 2D37A597
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: MessageSend$ItemLongWindow$CallbackDispatcherUser
                              • String ID:
                              • API String ID: 1186804443-0
                              • Opcode ID: 93f731a9b87f5bc6d3ab54eb70cad72254d9da53ee27e79a08e1e53b74ac5569
                              • Instruction ID: 1c8c073e9293601c4b252dc34fa2883401c4123a04e5743708145cb7d320dd7b
                              • Opcode Fuzzy Hash: 93f731a9b87f5bc6d3ab54eb70cad72254d9da53ee27e79a08e1e53b74ac5569
                              • Instruction Fuzzy Hash: 55219031648618BAFB029F64CC59FA97BFEAF14BA5F008015F7496A1D0C6BC99448A90
                              Function 2D36F5CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 103 2d36f5cb-2d36f605 GetTempPathW 104 2d36f607 GetLastError 103->104 105 2d36f632-2d36f656 call 2d38ff91 103->105 106 2d36f60d 104->106 111 2d36f68d-2d36f692 105->111 112 2d36f658-2d36f674 CreateFileW 105->112 108 2d36f60e-2d36f62d call 2d36e813 call 2d38ee42 106->108 108->105 111->108 114 2d36f676-2d36f67f GetLastError 112->114 115 2d36f697-2d36f6ac CloseHandle call 2d38f7a3 112->115 114->106 118 2d36f681-2d36f687 114->118 118->105 120 2d36f689-2d36f68b 118->120 120->108
                              APIs
                              • GetTempPathW.KERNEL32(00000208,?), ref: 2D36F5FD
                              • GetLastError.KERNEL32 ref: 2D36F607
                              • __CxxThrowException@8.LIBCMT ref: 2D36F62D
                              • __snwprintf_s.LIBCMT ref: 2D36F64C
                              • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000001,00000080,00000000,?,?,?,?,?,?,00000000,2D3A1F6C), ref: 2D36F66B
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,2D3A1F6C), ref: 2D36F676
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,2D3A1F6C), ref: 2D36F698
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseCreateException@8FileHandlePathTempThrow__snwprintf_s
                              • String ID: %s%s (%i).%s
                              • API String ID: 851263882-4104947418
                              • Opcode ID: 757089e28cd55d889906b4ddefb6a83c8c2e4329ebe4d273199f708e36087733
                              • Instruction ID: f7b2794bf5d0fc046c02c8fa3532ff1ea389245a2dcfbe04518517c86d03f870
                              • Opcode Fuzzy Hash: 757089e28cd55d889906b4ddefb6a83c8c2e4329ebe4d273199f708e36087733
                              • Instruction Fuzzy Hash: 3A217971A04218ABEB218A60CC85FEA737DEB05714F2081A5F711F61D5DB749A808BBD
                              Function 2D381A56 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 143COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D381A60
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • __CxxThrowException@8.LIBCMT ref: 2D381BE0
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                                • Part of subcall function 2D36D44F: char_traits.LIBCPMT ref: 2D36D474
                              Strings
                              • OPatchInstall: Creating system property ', xrefs: 2D381A6C
                              • CSession::createStandardProperty, xrefs: 2D381BC2
                              • ' with value ', xrefs: 2D381AB1
                              • ' was already created, xrefs: 2D381BAE
                              • OPatchInstall: The system property ', xrefs: 2D381B66
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorException@8FileFreeH_prolog3HeapLastThrowWrite___sbh_find_block___sbh_free_block__lockchar_traits
                              • String ID: ' was already created$' with value '$CSession::createStandardProperty$OPatchInstall: Creating system property '$OPatchInstall: The system property '
                              • API String ID: 428937594-843738436
                              • Opcode ID: 694c4e662b44295b46715412f775206f33c5faf24adbefc0f24770b92c354fed
                              • Instruction ID: c711e06450db4f03e422f117e522c9ab3c84546246fe30a581ee6fe73eedc49d
                              • Opcode Fuzzy Hash: 694c4e662b44295b46715412f775206f33c5faf24adbefc0f24770b92c354fed
                              • Instruction Fuzzy Hash: A0516731A05219AEDF25DB50CC50BEDBB75EF61304F128199E21ABA1E1DB702F84CBA5
                              Function 2D3866D8 Relevance: 12.2, APIs: 8, Instructions: 237memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 2D3866E2
                              • GetFileVersionInfoSizeA.VERSION(?,?,000000A8,2D382E33,?,00000000,2D3612A4,2D361344,00000000,OPatchInstall: Getting version of the system dll '), ref: 2D386710
                              • GetLastError.KERNEL32(?,?,000000A8,2D382E33,?,00000000,2D3612A4,2D361344,00000000,OPatchInstall: Getting version of the system dll '), ref: 2D38671C
                                • Part of subcall function 2D36D404: char_traits.LIBCPMT ref: 2D36D429
                                • Part of subcall function 2D36E7F7: __strftime_l.LIBCMT ref: 2D36E809
                                • Part of subcall function 2D3865D3: __EH_prolog3.LIBCMT ref: 2D3865DA
                                • Part of subcall function 2D38652F: std::_String_base::_Xlen.LIBCPMT ref: 2D38656C
                              • __CxxThrowException@8.LIBCMT ref: 2D386739
                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,000000A8,2D382E33,?,00000000,2D3612A4,2D361344,00000000,OPatchInstall: Getting version of the system dll '), ref: 2D386741
                              • GetFileVersionInfoA.VERSION(?,00000000,?,00000000), ref: 2D38676D
                              • VerQueryValueA.VERSION(?,2D367790,?,?,?,00000000,?,00000000), ref: 2D386782
                              • GlobalFree.KERNEL32(?), ref: 2D38699C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FileGlobalInfoVersion$AllocErrorException@8FreeH_prolog3H_prolog3_LastQuerySizeString_base::_ThrowValueXlen__strftime_lchar_traitsstd::_
                              • String ID:
                              • API String ID: 1266200685-0
                              • Opcode ID: 827200e7d2a29708be8764345486c56dfc00192dc470b4ab2b225d89163d6e50
                              • Instruction ID: 47e2fee17680163fe3287afb39d47b69dca26ceac6dfa37d7a428d5e5392daee
                              • Opcode Fuzzy Hash: 827200e7d2a29708be8764345486c56dfc00192dc470b4ab2b225d89163d6e50
                              • Instruction Fuzzy Hash: 5E91A271C08258FECB11DBA4DC80EEEBBB8EF65310F108159F215B3296EB345A09CB61
                              Function 2D382D3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog3_catch_GS.LIBCMT ref: 2D382D48
                              • _memset.LIBCMT ref: 2D382D74
                              • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 2D382D8D
                              • GetLastError.KERNEL32 ref: 2D382D97
                              • __CxxThrowException@8.LIBCMT ref: 2D382DBD
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • OPatchInstall: Getting version of the system dll ', xrefs: 2D382DEE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DirectoryDispatcherErrorExceptionException@8H_prolog3_catch_LastSystemThrowUser_memset
                              • String ID: OPatchInstall: Getting version of the system dll '
                              • API String ID: 2618885068-2740981447
                              • Opcode ID: 38e9b06d21ff125bc02cc3efac5242a78f8b5dc3f493df96c89b62cf8620620e
                              • Instruction ID: 78894276777736f04ceb39b903ab28b6c4141519e153da32a9960faa24a77c48
                              • Opcode Fuzzy Hash: 38e9b06d21ff125bc02cc3efac5242a78f8b5dc3f493df96c89b62cf8620620e
                              • Instruction Fuzzy Hash: D8315C72904268ABCB24DB60CC85BDD77B8EB64301F1181D5E209F7292DB746F84CFA5
                              Function 2D39079C Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 2D3907CD
                              • __calloc_crt.LIBCMT ref: 2D3907D9
                              • __getptd.LIBCMT ref: 2D3907E6
                              • CreateThread.KERNELBASE(?,?,2D390719,00000000,?,?), ref: 2D39081D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 2D390827
                              • __dosmaperr.LIBCMT ref: 2D39083F
                                • Part of subcall function 2D392E82: __getptd_noexit.LIBCMT ref: 2D392E82
                                • Part of subcall function 2D38F391: __decode_pointer.LIBCMT ref: 2D38F39C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                              • String ID:
                              • API String ID: 1803633139-0
                              • Opcode ID: c43bbec2c66c6fcfbf13df4e99cec224f695ea8c90c4ddd7b0a9982cb3d500b2
                              • Instruction ID: bf80c8d5744f949cd97eaa19026620bf91d12887755e187ee85e134acf558cd2
                              • Opcode Fuzzy Hash: c43bbec2c66c6fcfbf13df4e99cec224f695ea8c90c4ddd7b0a9982cb3d500b2
                              • Instruction Fuzzy Hash: 0E11C472508609BFDB01AFA4CC819DE77A8FF14260FA18039F605F6191EB319A41CBA0
                              Function 2D36D1FD Relevance: 7.6, APIs: 5, Instructions: 84stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlenW.KERNEL32(00000000), ref: 2D36D21B
                              • WideCharToMultiByte.KERNELBASE(?,00000000,00000000,00000001,?,00000001,00000000,00000000), ref: 2D36D24E
                              • GetLastError.KERNEL32(?,00000001,00000000,00000000), ref: 2D36D259
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 2D36D272
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 2D36D2A0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLastlstrlen
                              • String ID:
                              • API String ID: 3322701435-0
                              • Opcode ID: b49efd6cdec0fead5c9baef7f0e24eb2acb78e9cb95d71895b8bfdef75c357c1
                              • Instruction ID: a920f034db61721ab969ee995d21d90e7e6d666a7208c9659c73b7a553669740
                              • Opcode Fuzzy Hash: b49efd6cdec0fead5c9baef7f0e24eb2acb78e9cb95d71895b8bfdef75c357c1
                              • Instruction Fuzzy Hash: FD213B72801124BBDB214F56DC44EAF7FBDEF46BA4F108114FA48A6114C6718E50DBF8
                              Function 2D389959 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 411 2d389959-2d389978 412 2d38997b-2d389980 411->412 412->412 413 2d389982-2d389987 412->413 414 2d38998d-2d38999a CreateDirectoryA 413->414 415 2d389a43-2d389a4f call 2d38f7a3 413->415 414->415 416 2d3899a0-2d3899b1 GetLastError 414->416 418 2d389a41-2d389a42 416->418 419 2d3899b7-2d3899ba 416->419 418->415 421 2d3899bc 419->421 422 2d3899e1-2d389a00 call 2d38ffb2 419->422 423 2d3899bd-2d3899dc call 2d36e813 call 2d38ee42 421->423 428 2d389a02-2d389a04 422->428 429 2d389a06-2d389a18 call 2d3905ab 422->429 423->422 428->423 429->428 433 2d389a1a-2d389a35 call 2d389959 CreateDirectoryA 429->433 433->418 436 2d389a37-2d389a3b GetLastError 433->436 436->418 436->421
                              APIs
                              • CreateDirectoryA.KERNELBASE(?,00000000), ref: 2D389996
                              • GetLastError.KERNEL32 ref: 2D3899A8
                              • __CxxThrowException@8.LIBCMT ref: 2D3899DC
                              • CreateDirectoryA.KERNELBASE(?,00000000), ref: 2D389A31
                              • GetLastError.KERNEL32 ref: 2D389A37
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateDirectoryErrorLast$Exception@8Throw
                              • String ID:
                              • API String ID: 1240546814-0
                              • Opcode ID: c0f7641ecd15e41f709c11bdb92a4d432b4acee78d9b3156a91e033cd55aff42
                              • Instruction ID: 612e9191d70f543da8379835679a560c0b2f883f4d57f990009af2656fe46a4d
                              • Opcode Fuzzy Hash: c0f7641ecd15e41f709c11bdb92a4d432b4acee78d9b3156a91e033cd55aff42
                              • Instruction Fuzzy Hash: 5321FB35E04219ABDB11DB24CC45BEAB7BC9F65740F1141A1D640F7192DA74DB848FA0
                              Function 2D3887D7 Relevance: 7.6, APIs: 5, Instructions: 77filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • _memset.LIBCMT ref: 2D388810
                              • __CxxThrowException@8.LIBCMT ref: 2D388852
                              • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 2D388889
                              • GetLastError.KERNEL32(?,00000002,00000080,?,?,?,2D3A1F6C), ref: 2D38889A
                              • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 2D3888B6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: File$CreateErrorException@8LastThrowTime_memset
                              • String ID:
                              • API String ID: 3537502443-0
                              • Opcode ID: d83ed8746d1e4f104008d1ba6d03d2d66841063cd2667bc37426d115828d7311
                              • Instruction ID: 343c2bd404cc01e95ab636493fd0ffd0a5efe12f1b8c1abbca1ea46a17ef9d90
                              • Opcode Fuzzy Hash: d83ed8746d1e4f104008d1ba6d03d2d66841063cd2667bc37426d115828d7311
                              • Instruction Fuzzy Hash: 0921AE76D08218BEDB109BA4DC81FDA77BCEB29750F108195E284F7181CAB49A848FA0
                              Function 2D37A683 Relevance: 7.6, APIs: 5, Instructions: 57synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D37A6AA
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 2D37A6B4
                              • GetLastError.KERNEL32 ref: 2D37A6C1
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 2D37A705
                              • CloseHandle.KERNELBASE(?), ref: 2D37A70E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CloseCreateErrorEventException@8HandleLastObjectSingleThrowWait
                              • String ID:
                              • API String ID: 3382691732-0
                              • Opcode ID: 0a68b700f10f2a3eb7aaa3de1a4ceedf327aeec3032ace82dc1e05003d9872a7
                              • Instruction ID: 758ffbc5f3a90c72d02f98942ebb1afe380a716db8352357ebc5f3bbfa3c3c9f
                              • Opcode Fuzzy Hash: 0a68b700f10f2a3eb7aaa3de1a4ceedf327aeec3032ace82dc1e05003d9872a7
                              • Instruction Fuzzy Hash: C011E735808644BFCB219F61CC44CAB7FBCEF95750B00C15AF5A5A2211E7349644DBA4
                              Function 2D37A619 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 2D37A5CB: CreateDialogParamW.USER32(00000000,-00000065,00000000,Function_0001A4FE), ref: 2D37A5E9
                                • Part of subcall function 2D37A5CB: GetLastError.KERNEL32 ref: 2D37A5F3
                                • Part of subcall function 2D37A5CB: __CxxThrowException@8.LIBCMT ref: 2D37A610
                              • SetEvent.KERNEL32(?), ref: 2D37A634
                              • IsDialogMessage.USER32(?,?), ref: 2D37A64F
                              • TranslateMessage.USER32(?), ref: 2D37A65D
                              • DispatchMessageA.USER32(?), ref: 2D37A667
                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 2D37A674
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Message$Dialog$CallbackCreateDispatchDispatcherErrorEventException@8LastParamThrowTranslateUser
                              • String ID:
                              • API String ID: 1063205569-0
                              • Opcode ID: 0c1a63633889e7d3e006c667e3ecf6e07a777a92b9931547f234eba28824b376
                              • Instruction ID: 382b3e30ffee492b594cca6e9adbc630378d4a174f05416fb3aa4f43634df179
                              • Opcode Fuzzy Hash: 0c1a63633889e7d3e006c667e3ecf6e07a777a92b9931547f234eba28824b376
                              • Instruction Fuzzy Hash: BAF08172A04519BFDB01AFB4CC88EAF77BDBE046543004925F655E2140D23CD9158BA4
                              Function 2D38F117 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D3934BE: __amsg_exit.LIBCMT ref: 2D3934E0
                                • Part of subcall function 2D3934BE: EnterCriticalSection.KERNEL32(?,?,?,2D39263D,0000000D,2D3A62C8,00000008,2D390778,?,00000000), ref: 2D3934E8
                              • ___sbh_find_block.LIBCMT ref: 2D38F140
                              • ___sbh_free_block.LIBCMT ref: 2D38F14F
                              • RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                              • GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock
                              • String ID:
                              • API String ID: 2877530213-0
                              • Opcode ID: db6aed1af361bd5681d3a5acdb6eff8fbc33cda160fd6316d4fc0bf1a535701c
                              • Instruction ID: ff6322d39193a7b01f1ae1e52da163c9812eb3801b9ff7719f56c8abe3ddff64
                              • Opcode Fuzzy Hash: db6aed1af361bd5681d3a5acdb6eff8fbc33cda160fd6316d4fc0bf1a535701c
                              • Instruction Fuzzy Hash: 59016275D09715BBDB265FB1D8057AE3B74EF10762F51C014E654F71C1DB388640CA98
                              Function 2D37A3D8 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E8), ref: 2D37A3ED
                              • GetDlgItem.USER32(?,00000002), ref: 2D37A3F5
                              • SetWindowTextW.USER32(00000000,00000000), ref: 2D37A403
                              • SetWindowTextW.USER32(00000000,00000000), ref: 2D37A413
                              • SetWindowTextW.USER32(?,00000000), ref: 2D37A424
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: TextWindow$Item
                              • String ID:
                              • API String ID: 1634842743-0
                              • Opcode ID: 2d24782148456b2bd8ae8dd3328d4ca7ff71e8c5b6cfb6104ef499967b78ae83
                              • Instruction ID: 11d0001972fe95b066562c510dccf1883f4a3c0a4287554418d600f6671d7ab8
                              • Opcode Fuzzy Hash: 2d24782148456b2bd8ae8dd3328d4ca7ff71e8c5b6cfb6104ef499967b78ae83
                              • Instruction Fuzzy Hash: BBF03036600218FBEB025F51CC09BAA7B7EFF08765F408035F60966291CBBB4960DBA0
                              Function 2D37C74E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37C755
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D37C77D
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D37C78B
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: map/set<T> too long
                              • API String ID: 4068783259-1285458680
                              • Opcode ID: 69c8dcb9a265c7ad30f4513bfa558f170d0c5919b0e068745ebe81fb130fc40b
                              • Instruction ID: a5578f076a0ff38f30708f5114db0984c57ee5d71de3c6030acc3176ffdeba3d
                              • Opcode Fuzzy Hash: 69c8dcb9a265c7ad30f4513bfa558f170d0c5919b0e068745ebe81fb130fc40b
                              • Instruction Fuzzy Hash: 7C410935604A40AFE711CF58C584EA9BBF5FF19304F0A8098D649AB762D779FC81CB90
                              Function 2D38962B Relevance: 6.2, APIs: 4, Instructions: 160timeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D389632
                              • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 2D38970C
                              • __CxxThrowException@8.LIBCMT ref: 2D3897C8
                              • __EH_prolog3.LIBCMT ref: 2D3897D5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3Time$DateException@8FileThrow
                              • String ID:
                              • API String ID: 1328005015-0
                              • Opcode ID: 7247f77bd2f282466e03de69324c749acbb2493687fea49c7464f7d9830c9a32
                              • Instruction ID: 21b25d1fc7394a86e2c0ab3b15a64759669a6f83de9d348344ea169d9bf1549a
                              • Opcode Fuzzy Hash: 7247f77bd2f282466e03de69324c749acbb2493687fea49c7464f7d9830c9a32
                              • Instruction Fuzzy Hash: F451AF71914209EFCB15CFA4C988EADB7B9FF18320F518519E256FB592CB30EA44CB60
                              Function 2D388364 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • GetVersionExA.KERNEL32(?), ref: 2D388388
                              • _memset.LIBCMT ref: 2D3883C9
                              • KiUserCallbackDispatcher.NTDLL(00000029,00000154,?,00000000), ref: 2D3883E8
                              • CreateFontIndirectA.GDI32(?), ref: 2D3883F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CallbackCreateDispatcherFontIndirectUserVersion_memset
                              • String ID:
                              • API String ID: 439434407-0
                              • Opcode ID: 739bbdb6cf4b1bff0f7dd70fb2f3a1c6a99fd6b122d46c8aae06474bfb01433d
                              • Instruction ID: 94426b7bef6ebaf8c7cb745df337df17ba6cc60883200c20dfba4ae4af051cff
                              • Opcode Fuzzy Hash: 739bbdb6cf4b1bff0f7dd70fb2f3a1c6a99fd6b122d46c8aae06474bfb01433d
                              • Instruction Fuzzy Hash: F011A170A04208ABDB91DF74DD05BDDB7FCAB05744F004095DA09F7383EBB89A498BA5
                              Function 2D39069B Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 2D3906AE
                                • Part of subcall function 2D398B4B: __FindPESection.LIBCMT ref: 2D398BA6
                              • __getptd_noexit.LIBCMT ref: 2D3906BE
                              • __freeptd.LIBCMT ref: 2D3906C8
                              • ExitThread.KERNEL32 ref: 2D3906D1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                              • String ID:
                              • API String ID: 3182216644-0
                              • Opcode ID: 1217f4812387c28250f5c7e8768503dd5179d84a1e259b1b33dbcd85ffccd626
                              • Instruction ID: f2bf505739015fe0768b9ea387711bf848a8481c1e3bc1ceda5f3ed00bdd2deb
                              • Opcode Fuzzy Hash: 1217f4812387c28250f5c7e8768503dd5179d84a1e259b1b33dbcd85ffccd626
                              • Instruction Fuzzy Hash: FFD01275004606E7D7051771C91BBB577ADEB90A50F518020EB00B6568DFB4C481D5BC
                              Function 2D3910AE Relevance: 4.6, APIs: 3, Instructions: 78memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __FF_MSGBANNER.LIBCMT ref: 2D3910D1
                              • __NMSG_WRITE.LIBCMT ref: 2D3910D8
                              • RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9), ref: 2D391127
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 7684f30a0384c1b6c85823405e942b039120854939a5236f72e1447f2a65aa24
                              • Instruction ID: bd639b0e47f7ce0022770f18a1bbb62724a37b8d0ba0f84478129285bb29030f
                              • Opcode Fuzzy Hash: 7684f30a0384c1b6c85823405e942b039120854939a5236f72e1447f2a65aa24
                              • Instruction Fuzzy Hash: D411B9326096567AD3121B29DC42BEA735DEF11AA0F128121EB44BB3D1DB71D941C7D4
                              Function 2D38EF83 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D3910AE: __FF_MSGBANNER.LIBCMT ref: 2D3910D1
                                • Part of subcall function 2D3910AE: __NMSG_WRITE.LIBCMT ref: 2D3910D8
                                • Part of subcall function 2D3910AE: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9), ref: 2D391127
                              • std::bad_alloc::bad_alloc.LIBCMT ref: 2D38EFC0
                                • Part of subcall function 2D38EF68: std::exception::exception.LIBCMT ref: 2D38EF74
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D38EFD4
                              • __CxxThrowException@8.LIBCMT ref: 2D38EFE2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AllocateException@8HeapThrowstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                              • String ID:
                              • API String ID: 3585760706-0
                              • Opcode ID: 2f4686eabb90d40329875c4d7dbbee36d575876fe62d4f897ddf0db3605a1a8f
                              • Instruction ID: d78d825895ad310942fcfaa30ec3661aeb2d5ae5edb5aa7b75b2465739bcae1a
                              • Opcode Fuzzy Hash: 2f4686eabb90d40329875c4d7dbbee36d575876fe62d4f897ddf0db3605a1a8f
                              • Instruction Fuzzy Hash: 71F02727A0C20836CF046770EC159993FAADF21558F128026DE01F61A2EFB6DA05C390
                              Function 2D37A5CB Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • CreateDialogParamW.USER32(00000000,-00000065,00000000,Function_0001A4FE), ref: 2D37A5E9
                              • GetLastError.KERNEL32 ref: 2D37A5F3
                              • __CxxThrowException@8.LIBCMT ref: 2D37A610
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateDialogDispatcherErrorExceptionException@8LastParamThrowUser
                              • String ID:
                              • API String ID: 4168822975-0
                              • Opcode ID: 6d158320f279958b54b7b635607df89783ae39122e6a523d0e3e073fb97e11cd
                              • Instruction ID: 33c4678bcafe9de88f6d81b476d703d0cef17fa6f1b446f356f09a201d3d49f1
                              • Opcode Fuzzy Hash: 6d158320f279958b54b7b635607df89783ae39122e6a523d0e3e073fb97e11cd
                              • Instruction Fuzzy Hash: 62E065B6914644BF9708DF71CC4ADBB3BACDB255497048039F502E6111EA79D64086A5
                              Function 2D38E033 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D38E057
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: W
                              • API String ID: 2005118841-655174618
                              • Opcode ID: 1177747a82480896055f3e2e3f66cfabff626a0010d6650c0813ddf002be5960
                              • Instruction ID: 3883dbfc198dcab6c5cdc857fdb88675ffecd3b7cda8ac0b8c2dad40c9098523
                              • Opcode Fuzzy Hash: 1177747a82480896055f3e2e3f66cfabff626a0010d6650c0813ddf002be5960
                              • Instruction Fuzzy Hash: A631BEB1904605EFD720CBA5C8849AAB7F9FB10386F00882DE752F7692C776EA44CB51
                              Function 2D38981A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D36E7F7: __strftime_l.LIBCMT ref: 2D36E809
                              • __CxxThrowException@8.LIBCMT ref: 2D38986C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw__strftime_l
                              • String ID: cabinstance\
                              • API String ID: 3492712547-1471073468
                              • Opcode ID: fdeeb46806db4a7c5373056d05bab01a692d1c26ad556711a1b6739dfdace575
                              • Instruction ID: bfe352ab3c3be56362a7b007c5b18f41885f6bb81837e076cf93b710b330ed34
                              • Opcode Fuzzy Hash: fdeeb46806db4a7c5373056d05bab01a692d1c26ad556711a1b6739dfdace575
                              • Instruction Fuzzy Hash: FF218071A09219AEDB01CFA5CC859EEBBBDEF1A304F400069EA02FB257D635D904C7B1
                              Function 2D386655 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • CharNextA.USER32(?,?,?), ref: 2D3866AF
                              • __CxxThrowException@8.LIBCMT ref: 2D3866D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CharException@8NextThrow
                              • String ID:
                              • API String ID: 455092827-0
                              • Opcode ID: 06b93b7398fd8a3bc32e40db27029c07993c3fcf398b00c38259bdf5bbf18bac
                              • Instruction ID: f2bb26399ab0b997f2f024af1e1a793306956a4f321a591e59dd271b1d3dd4e7
                              • Opcode Fuzzy Hash: 06b93b7398fd8a3bc32e40db27029c07993c3fcf398b00c38259bdf5bbf18bac
                              • Instruction Fuzzy Hash: 6611C8B54047C5AEC721CF38D490AAABBE8EF4A210F14842ADD96E7246D774D640CB60
                              Function 2D3884F9 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 2D38852E
                              • ReadFile.KERNELBASE(00000000,?,?,00000000,00000000), ref: 2D388546
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: File$PointerRead
                              • String ID:
                              • API String ID: 3154509469-0
                              • Opcode ID: 1534725c37feb32b0fbbcb525f327f8b377cf44ff2c6903f79d8d5862e4bbe32
                              • Instruction ID: a0c343dbaf1ea54a653a37c01a1fa1f44734565188a3ae779734109597a363de
                              • Opcode Fuzzy Hash: 1534725c37feb32b0fbbcb525f327f8b377cf44ff2c6903f79d8d5862e4bbe32
                              • Instruction Fuzzy Hash: E4018432610704AFDB10CA28DC01F5AB7FDAB84764F204A29F526E2591E770EE04DB54
                              Function 2D37B535 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D37B563
                              • __CxxThrowException@8.LIBCMT ref: 2D37B571
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::bad_exception::bad_exception
                              • String ID:
                              • API String ID: 953301-0
                              • Opcode ID: f3fc899cb5e7ae2aea061c4feab9c2e4535a081c8b04b5fdbf9e02b49c7a155e
                              • Instruction ID: 07175ec2685af48e25d91de2202be3343e0f7179ccc5d662a54c73fc12ded90a
                              • Opcode Fuzzy Hash: f3fc899cb5e7ae2aea061c4feab9c2e4535a081c8b04b5fdbf9e02b49c7a155e
                              • Instruction Fuzzy Hash: D6E02672A1020429D70CE278C856EAE77BA9B20620F10C62EDA23F10C1EE74E2048294
                              Function 2D36D02A Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D36D058
                              • __CxxThrowException@8.LIBCMT ref: 2D36D066
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::bad_exception::bad_exception
                              • String ID:
                              • API String ID: 953301-0
                              • Opcode ID: 559408b4da7d03279e3a6a0515bb9183fd49a4f0dfbc30d749324c6d765d93a5
                              • Instruction ID: b50bc744e53efbe102c18193803cce885dd1ca8f313d23be73747d237d145fd9
                              • Opcode Fuzzy Hash: 559408b4da7d03279e3a6a0515bb9183fd49a4f0dfbc30d749324c6d765d93a5
                              • Instruction Fuzzy Hash: E1E02032D1020415C70CD674D445E9E33A9AB50610F10862ED532F10C5EF70D209C1E4
                              Function 2D3906D8 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 2D3906E4
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                                • Part of subcall function 2D39069B: __IsNonwritableInCurrentImage.LIBCMT ref: 2D3906AE
                                • Part of subcall function 2D39069B: __getptd_noexit.LIBCMT ref: 2D3906BE
                                • Part of subcall function 2D39069B: __freeptd.LIBCMT ref: 2D3906C8
                                • Part of subcall function 2D39069B: ExitThread.KERNEL32 ref: 2D3906D1
                              • __XcptFilter.LIBCMT ref: 2D390705
                                • Part of subcall function 2D3919BF: __getptd_noexit.LIBCMT ref: 2D3919C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                              • String ID:
                              • API String ID: 393088965-0
                              • Opcode ID: 05cf2879c8f36310f18ed76e431aacc8fbdf0f7ba363ecedac43c6b11077c738
                              • Instruction ID: f6c8314ef17c7b744d486735d47b2230b83a8cfe8181363a16faa8bf11b0d52d
                              • Opcode Fuzzy Hash: 05cf2879c8f36310f18ed76e431aacc8fbdf0f7ba363ecedac43c6b11077c738
                              • Instruction Fuzzy Hash: 0DE0ECB5944A049FE718ABA0C949EAE7765EF64216F218088E202BB2A1CB359D40DB20
                              Function 2D37A321 Relevance: 3.0, APIs: 2, Instructions: 12windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003EA), ref: 2D37A32B
                              • PostMessageA.USER32(00000000,00000402,00000000,00000000), ref: 2D37A33C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ItemMessagePost
                              • String ID:
                              • API String ID: 1313159582-0
                              • Opcode ID: 0c0df5a0c746531c0749eba097a7817e77b20ff178d921de2aa8efab4168b07c
                              • Instruction ID: af2ab8d78ee5b293ccce800d0d00feb71ff106ea8d12fda41d98d6d6e6bc4a35
                              • Opcode Fuzzy Hash: 0c0df5a0c746531c0749eba097a7817e77b20ff178d921de2aa8efab4168b07c
                              • Instruction Fuzzy Hash: 43C01272280208BBDA026BA4CC1EF493A2EBB14B06F008010B301681E0C6B669209A9A
                              Function 2D37A346 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(?,00000005,?,2D372F9E), ref: 2D37A34D
                              • UpdateWindow.USER32(?), ref: 2D37A355
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Window$ShowUpdate
                              • String ID:
                              • API String ID: 2310006639-0
                              • Opcode ID: 32a273827ff65ebee6baed6a4ab06fb16a9a94062b50bef7d2b58cc4c9e46887
                              • Instruction ID: 49bb4882e647b726b4873a751ec03298ada03ccd0034148dca3299fd3e3b7418
                              • Opcode Fuzzy Hash: 32a273827ff65ebee6baed6a4ab06fb16a9a94062b50bef7d2b58cc4c9e46887
                              • Instruction Fuzzy Hash: 8BC04C35100020FFEA225F14EC1DAC5BA7AEF04751B120455B1815116496B60C549B94
                              Function 2D390DAB Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___crtCorExitProcess.LIBCMT ref: 2D390DB3
                                • Part of subcall function 2D390D80: GetModuleHandleW.KERNEL32(mscoree.dll,?,2D390DB8,?,?,2D3910E7,000000FF,0000001E,?,2D395247,?,00000001,?,?,2D393448,00000018), ref: 2D390D8A
                                • Part of subcall function 2D390D80: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 2D390D9A
                              • ExitProcess.KERNEL32 ref: 2D390DBC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                              • String ID:
                              • API String ID: 2427264223-0
                              • Opcode ID: 8577403666ede84add5c33028a6a72306d61b5438bf6e22ef44d44cd8cd7be5b
                              • Instruction ID: cf4cf403a793273b5d61d29049e0f5ccff176ba6cfd6092332cf139d855e5fb5
                              • Opcode Fuzzy Hash: 8577403666ede84add5c33028a6a72306d61b5438bf6e22ef44d44cd8cd7be5b
                              • Instruction Fuzzy Hash: D3B09231004148BBCB022F52CC0988D3F2AEB80AA1F218020F90809130DF72AD92EAD8
                              Function 2D36D65E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_catch
                              • String ID:
                              • API String ID: 3886170330-0
                              • Opcode ID: bf3cbf17043fcccb61e9991cb1f18e86d1acbbebae54799e683722e9ed0670f5
                              • Instruction ID: 7174cc22ddb9cceb9cc42ef997871a59d9c11d6d0615c00ad93cacf648f92084
                              • Opcode Fuzzy Hash: bf3cbf17043fcccb61e9991cb1f18e86d1acbbebae54799e683722e9ed0670f5
                              • Instruction Fuzzy Hash: DB11E271A00105EBDB04CF56D880B6DB3A6FB94300F60C116E719BB1C4CB71EA50CBE4
                              Function 2D36D94A Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • std::_String_base::_Xlen.LIBCPMT ref: 2D36D95C
                                • Part of subcall function 2D39E53A: __EH_prolog3.LIBCMT ref: 2D39E541
                                • Part of subcall function 2D39E53A: std::bad_exception::bad_exception.LIBCMT ref: 2D39E55E
                                • Part of subcall function 2D39E53A: __CxxThrowException@8.LIBCMT ref: 2D39E56C
                                • Part of subcall function 2D39E53A: __EH_prolog3.LIBCMT ref: 2D39E579
                                • Part of subcall function 2D39E53A: std::bad_exception::bad_exception.LIBCMT ref: 2D39E596
                                • Part of subcall function 2D39E53A: __CxxThrowException@8.LIBCMT ref: 2D39E5A4
                                • Part of subcall function 2D39E53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?), ref: 2D39E623
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8H_prolog3Throwstd::bad_exception::bad_exception$ExceptionRaiseString_base::_Xlenstd::_
                              • String ID:
                              • API String ID: 2643941598-0
                              • Opcode ID: 9aa9379ee6d03de0388cc4f685cf3521d9f9eaf8e40ef1c4c90425cf1a350527
                              • Instruction ID: 46e1db2d6e81b72d16fa69efccaffe172c967dda2ce44927680b28fac733191a
                              • Opcode Fuzzy Hash: 9aa9379ee6d03de0388cc4f685cf3521d9f9eaf8e40ef1c4c90425cf1a350527
                              • Instruction Fuzzy Hash: 7CF02B3170811056C7225D3BF800B2EA6DACBD1964F15851AE547F718DDD71D68082FA
                              Function 2D3893F4 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_catch
                              • String ID:
                              • API String ID: 3886170330-0
                              • Opcode ID: eeeb9618f22f07f42da709f129ba7c4b6a8f32a4ab7cd908856ddac9dcaf3f42
                              • Instruction ID: 5f1282e911147c464e482a4a36bec4c33f17bbe8d79812ec16d33329438cc873
                              • Opcode Fuzzy Hash: eeeb9618f22f07f42da709f129ba7c4b6a8f32a4ab7cd908856ddac9dcaf3f42
                              • Instruction Fuzzy Hash: 5AF08C76905215ABCB46CF68C804A5E7BA5FB04BA4F11C316E634FB2D1C7708A008BA5
                              Function 2D36D44F Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: char_traits
                              • String ID:
                              • API String ID: 1158913984-0
                              • Opcode ID: 64b5e76114a4de8b38d16f184df7f2683c58bf65642a74f44cf39c2b673d6b96
                              • Instruction ID: 5a9c3781b3de4652737c8be67bf5c7dd67f4fb470cd6429e055a6b76ebd599e5
                              • Opcode Fuzzy Hash: 64b5e76114a4de8b38d16f184df7f2683c58bf65642a74f44cf39c2b673d6b96
                              • Instruction Fuzzy Hash: B0F05532004204AADB305F8AD804B5ABBECEF65310F00C02EF68866152CA70F558C7F4
                              Function 2D37BDEF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_catch
                              • String ID:
                              • API String ID: 3886170330-0
                              • Opcode ID: 113112561ec0f0ea7570c31252b116a891adf9d5f38c982fd3d22190240d213a
                              • Instruction ID: 95b8dcc9c9f78f5523ae135f31a3d15cc0ca601e5ed03fcb345fcffed7d56223
                              • Opcode Fuzzy Hash: 113112561ec0f0ea7570c31252b116a891adf9d5f38c982fd3d22190240d213a
                              • Instruction Fuzzy Hash: 16E06D36905618ABEF018F94C901BDE3F71EF28B54F018005FB00BA2D0C3B68E60A7E2
                              Function 2D3928D6 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 2D3928EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateHeap
                              • String ID:
                              • API String ID: 10892065-0
                              • Opcode ID: e3ace702fe54e0c77e4db638721a618b450f28d679c044d32056262b79d4dd1b
                              • Instruction ID: 685258ad756d200d66f05957eabdee37544712d632cabfc200d1af9b386a1c5b
                              • Opcode Fuzzy Hash: e3ace702fe54e0c77e4db638721a618b450f28d679c044d32056262b79d4dd1b
                              • Instruction Fuzzy Hash: 12D05E76A543057FD7029E76EC097663BECA784B95F008435F80CC6240FA78C640DA48
                              Function 2D38847B Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000), ref: 2D388492
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: da4320dcef766df28b63d533c794c9dda68e892b7c7ee5396e72c4d3550aa243
                              • Instruction ID: 26acfb0f55b43f7630d5e947b89681b25f6f5ab33a0e3ebc6f0e0745490e9502
                              • Opcode Fuzzy Hash: da4320dcef766df28b63d533c794c9dda68e892b7c7ee5396e72c4d3550aa243
                              • Instruction Fuzzy Hash: 85E08C32510108FBDB01CBA0DD02FCD7B7CBB04368F208114B511EA091C375DA109B54
                              Function 2D381158 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch_GS.LIBCMT ref: 2D381162
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_catch_
                              • String ID:
                              • API String ID: 1329019490-0
                              • Opcode ID: 097ba1b738138fcaa1287d32cc9196a17925e1a49824dc45df17fa4483296a62
                              • Instruction ID: 650fac9be684d6f40e454bebff44a47690005cf282475bbd7754b87b8f01c66d
                              • Opcode Fuzzy Hash: 097ba1b738138fcaa1287d32cc9196a17925e1a49824dc45df17fa4483296a62
                              • Instruction Fuzzy Hash: FCD05E74904204CBE7048B50C844F48B770FF14300F20C18CE208EB291CB325D84CF06
                              Function 2D390FC7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              • _doexit.LIBCMT ref: 2D390FD3
                                • Part of subcall function 2D390E9B: __lock.LIBCMT ref: 2D390EA9
                                • Part of subcall function 2D390E9B: __decode_pointer.LIBCMT ref: 2D390EE0
                                • Part of subcall function 2D390E9B: __decode_pointer.LIBCMT ref: 2D390EF5
                                • Part of subcall function 2D390E9B: __decode_pointer.LIBCMT ref: 2D390F1F
                                • Part of subcall function 2D390E9B: __decode_pointer.LIBCMT ref: 2D390F35
                                • Part of subcall function 2D390E9B: __decode_pointer.LIBCMT ref: 2D390F42
                                • Part of subcall function 2D390E9B: __initterm.LIBCMT ref: 2D390F71
                                • Part of subcall function 2D390E9B: __initterm.LIBCMT ref: 2D390F81
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __decode_pointer$__initterm$__lock_doexit
                              • String ID:
                              • API String ID: 1597249276-0
                              • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                              • Instruction ID: acadcc02bfd9079f89b0c25eae59b9327680af0b1a3ec0deb8ccac89bf6db98b
                              • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                              • Instruction Fuzzy Hash: ABB0923298420833DA201542EC02F963B0A87D0AA0E294020BA5C2D1A0A9B2A9618089
                              Function 2D37A30F Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • PostMessageA.USER32(?,00008001,00000000,00000000), ref: 2D37A31A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 0622457f2d9b24fde4042635299b9affe1b0582e29c9c09fe81b9e940c58d149
                              • Instruction ID: 3cff973e474086c7ec3a940c9990c1478ad04f592b59f4bd33f6f875bb03bdf5
                              • Opcode Fuzzy Hash: 0622457f2d9b24fde4042635299b9affe1b0582e29c9c09fe81b9e940c58d149
                              • Instruction Fuzzy Hash: 8CB00170790610BAEEA29B25CE5AF043A67BB42F09F204094B3456C5E08AA629589A4A

                              Non-executed Functions

                              Function 2D388222 Relevance: 49.1, APIs: 14, Strings: 14, Instructions: 100libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(user32.dll,?,?,2D3883AE), ref: 2D38822F
                              • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 2D38824B
                              • GetProcAddress.KERNEL32(00000000,SetWindowTextW), ref: 2D388260
                              • GetProcAddress.KERNEL32(00000000,DialogBoxParamW), ref: 2D388275
                              • GetProcAddress.KERNEL32(00000000,CreateDialogParamW), ref: 2D38828A
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,2D3883AE), ref: 2D38829E
                              • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 2D3882B0
                              • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 2D3882C1
                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 2D3882D2
                              • GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 2D3882E3
                              • GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 2D3882F4
                              • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 2D388305
                              • GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 2D388316
                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExW), ref: 2D388327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: CreateDialogParamW$CreateFileW$CreateProcessW$DialogBoxParamW$GetCurrentDirectoryW$GetDiskFreeSpaceExW$GetModuleFileNameW$GetTempPathW$MessageBoxW$MoveFileExW$SetCurrentDirectoryW$SetWindowTextW$kernel32.dll$user32.dll
                              • API String ID: 2238633743-1099696723
                              • Opcode ID: 3682c8cf80455df4805748a923f3804938d241ef3ef5ba9ade2bb506f68aee6f
                              • Instruction ID: 74c6ce79a3850d6c8e95d9b5075920b1c8d74a8506f8657f2f30c1bb89c19f9c
                              • Opcode Fuzzy Hash: 3682c8cf80455df4805748a923f3804938d241ef3ef5ba9ade2bb506f68aee6f
                              • Instruction Fuzzy Hash: 65316674A4061679C7179F39ECE1AB62BFDEA95B81384402AD500F2347DF69C4019BB9
                              Function 2D3970F3 Relevance: 7.6, APIs: 5, Instructions: 75COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __NMSG_WRITE.LIBCMT ref: 2D397114
                                • Part of subcall function 2D3917DA: __set_error_mode.LIBCMT ref: 2D39180B
                                • Part of subcall function 2D3917DA: __set_error_mode.LIBCMT ref: 2D39181C
                                • Part of subcall function 2D3917DA: _strcpy_s.LIBCMT ref: 2D391850
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D391861
                                • Part of subcall function 2D3917DA: GetModuleFileNameA.KERNEL32(00000000,2D3AABB1,00000104), ref: 2D39187D
                                • Part of subcall function 2D3917DA: _strcpy_s.LIBCMT ref: 2D391892
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D3918A5
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D3918E8
                              • _raise.LIBCMT ref: 2D397125
                              • _memset.LIBCMT ref: 2D3971B7
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,1FFFFFFF), ref: 2D3971E9
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,1FFFFFFF), ref: 2D3971F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __invoke_watson$ExceptionFilterUnhandled__set_error_mode_strcpy_s$FileModuleName_memset_raise
                              • String ID:
                              • API String ID: 3251567315-0
                              • Opcode ID: 9bed5a0933111ec7d1e7f3e031411fdfee399cf753959c0fa724f245972dfa2f
                              • Instruction ID: c1f14a51c2bb43ec2cd887bd41b147b7a89ce52c45797fad2d372c7d33a562f8
                              • Opcode Fuzzy Hash: 9bed5a0933111ec7d1e7f3e031411fdfee399cf753959c0fa724f245972dfa2f
                              • Instruction Fuzzy Hash: 1131F57591132DABDB21DF65C8997C9BBB8AF58710F1040DAA50CBB250DB789BC0CF98
                              Function 2D38F7A3 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 2D3951EB
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 2D395200
                              • UnhandledExceptionFilter.KERNEL32(2D36A230), ref: 2D39520B
                              • GetCurrentProcess.KERNEL32(C0000409), ref: 2D395227
                              • TerminateProcess.KERNEL32(00000000), ref: 2D39522E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                              • String ID:
                              • API String ID: 2579439406-0
                              • Opcode ID: 10d46071afcc656e4f0431eca1e0d379ddd6c22d329c59ef2e9a7ea2a6f4b50c
                              • Instruction ID: 71852bac9afbbec80cb56ebe90cf55ac96f8fc140731fc89c3bee09e6f57b27b
                              • Opcode Fuzzy Hash: 10d46071afcc656e4f0431eca1e0d379ddd6c22d329c59ef2e9a7ea2a6f4b50c
                              • Instruction Fuzzy Hash: 0621CEB8A01208BBD702CF69D0A47D83BBEFB58B90F50411AE56896750E7789981CF6D
                              Function 2D38EBE3 Relevance: 2.5, APIs: 2, Instructions: 32memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32 ref: 2D38EC06
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 2D38EC17
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: d076e5cdecff3c4806461916a01076326d516c08c123bc103340dd6b15194c6b
                              • Instruction ID: 85e668162a96d8ed435861192bd3f3b015a92a56614719ca6a82ef5c0667548f
                              • Opcode Fuzzy Hash: d076e5cdecff3c4806461916a01076326d516c08c123bc103340dd6b15194c6b
                              • Instruction Fuzzy Hash: 37F08275A003006FDB119B61C80AF63BBED9F45751F018428F659E7242CB76E840CBA5
                              Function 2D387E35 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 2D387E59
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Free$DiskErrorHeapLastSpace___sbh_find_block___sbh_free_block__lock
                              • String ID:
                              • API String ID: 1140605925-0
                              • Opcode ID: d297bcc39455f48cb78fb1e1849f257aff95ed5c85e583408dadec6d2bc30ada
                              • Instruction ID: 8d3a64d0e5535a219f4cf467cee4ab3da9dd39b6b92191f8d517655dbc88dfda
                              • Opcode Fuzzy Hash: d297bcc39455f48cb78fb1e1849f257aff95ed5c85e583408dadec6d2bc30ada
                              • Instruction Fuzzy Hash: AEE06D3280011AABCF119F64EC41ADA7B79FB14245F008061FA45E21A0DB309D60DB90
                              Function 2D3812BA Relevance: 42.5, APIs: 1, Strings: 23, Instructions: 470COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D38179B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: CSession::setArgumentValue$SYS.ARGS.EXTRACT$SYS.ARGS.EXTRACTPATH$SYS.ARGS.EXTRACTPATHREADONLY$SYS.ARGS.EXTRACTREADONLY$SYS.ARGS.FORCERESTART$SYS.ARGS.FORCERESTARTREADONLY$SYS.ARGS.HELP$SYS.ARGS.HELPREADONLY$SYS.ARGS.LANG$SYS.ARGS.LANGREADONLY$SYS.ARGS.LANGVALUE$SYS.ARGS.LANGVALUEREADONLY$SYS.ARGS.LOG$SYS.ARGS.LOGPATH$SYS.ARGS.LOGPATHREADONLY$SYS.ARGS.LOGREADONLY$SYS.ARGS.NORESTART$SYS.ARGS.NORESTARTREADONLY$SYS.ARGS.PASSIVE$SYS.ARGS.PASSIVEREADONLY$SYS.ARGS.QUIET$SYS.ARGS.QUIETREADONLY
                              • API String ID: 2005118841-1953358270
                              • Opcode ID: 621b4a1eb589686dd9eb6478aa61653259f8eef033eea72139a9cc49d6b066f4
                              • Instruction ID: dd8273bff6bddd51f21b8f5421cf8c228cccba2328d573cc74ba66cf4aab365e
                              • Opcode Fuzzy Hash: 621b4a1eb589686dd9eb6478aa61653259f8eef033eea72139a9cc49d6b066f4
                              • Instruction Fuzzy Hash: DAE1134F7221024BC7250F39CC469E2A6767FA1EE07D98AA8D545FB64BF731CE458360
                              Function 2D37B1EF Relevance: 27.2, APIs: 18, Instructions: 154windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongA.USER32(?,00000008,?), ref: 2D37B20F
                              • GetDlgItem.USER32(?,000003EC), ref: 2D37B221
                              • GetDlgItem.USER32(?,000003E8), ref: 2D37B22C
                              • GetDlgItem.USER32(?,000003E9), ref: 2D37B237
                              • GetDlgItem.USER32(?,000003EA), ref: 2D37B242
                              • SetWindowTextW.USER32(00000110,?), ref: 2D37B25B
                              • SetWindowTextW.USER32(?,?), ref: 2D37B272
                              • SetWindowTextW.USER32(?,?), ref: 2D37B28F
                              • SetWindowTextW.USER32(?,?), ref: 2D37B2A6
                              • SetWindowTextW.USER32(?,?), ref: 2D37B2BB
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37B2DB
                              • SendMessageA.USER32(00000110,00000030,0E0A0D77,00000001), ref: 2D37B2E4
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37B2ED
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37B2F6
                              • SendMessageA.USER32(?,00000030,0E0A0D77,00000001), ref: 2D37B2FF
                              • GetWindowLongA.USER32(?,00000008), ref: 2D37B30A
                              • GetDlgItem.USER32(?,000003EC), ref: 2D37B33C
                              • EnableWindow.USER32(00000000,00000000), ref: 2D37B358
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Window$ItemMessageSendText$Long$Enable
                              • String ID:
                              • API String ID: 2063855303-0
                              • Opcode ID: 17ab98a9f0e1dd86f271927249234ec4c8e3649aee6a9ee6fef4ae66c15a503c
                              • Instruction ID: e98dc827a3f17f44d045b1eac918748ddf7c1004a9f17922b0ea3ef3fdb4a6f6
                              • Opcode Fuzzy Hash: 17ab98a9f0e1dd86f271927249234ec4c8e3649aee6a9ee6fef4ae66c15a503c
                              • Instruction Fuzzy Hash: 06414B31640A58BBEB129F21CC89EAF7BBEFF45B95F004415F606A6190D779A940CB60
                              Function 2D37E3B1 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D380323: __EH_prolog3.LIBCMT ref: 2D38032A
                              • __CxxThrowException@8.LIBCMT ref: 2D37E405
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8FileH_prolog3ThrowUserWrite
                              • String ID: DetailsPreBody$FilesToSend$GeneralAppName$GeneralReportee$MainCaption$MainIntroBold$MainIntroReg$MainNoReportBtn$MainPleaReg$MainReportBtn$OPatchInstall: CActionReportError::initFromElement ends$OPatchInstall: CActionReportError::initFromElement starts$UiLcid
                              • API String ID: 74031213-3528283118
                              • Opcode ID: 135f94ba1adbd9b0dca5acd91136128b0279768bd109619079e9802c48aa0333
                              • Instruction ID: 2d808e83273f65b98e636b624864cb17d46f2c5893d6d9dcdd9da0a83b97c687
                              • Opcode Fuzzy Hash: 135f94ba1adbd9b0dca5acd91136128b0279768bd109619079e9802c48aa0333
                              • Instruction Fuzzy Hash: F631C661204A417BEA25DA60CCD1DFE63DDEB64084FC58058FAC6F715BDB74AA0683B8
                              Function 2D392432 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,2D3A62A0,0000000C,2D39256D,00000000,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D392444
                              • __crt_waiting_on_module_handle.LIBCMT ref: 2D39244F
                                • Part of subcall function 2D390D27: Sleep.KERNEL32(000003E8,?,?,2D392354,KERNEL32.DLL,?,2D3923C0,?,2D390724), ref: 2D390D33
                                • Part of subcall function 2D390D27: GetModuleHandleW.KERNEL32(?,?,?,2D392354,KERNEL32.DLL,?,2D3923C0,?,2D390724), ref: 2D390D3C
                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 2D392478
                              • GetProcAddress.KERNEL32(?,DecodePointer), ref: 2D392488
                              • __lock.LIBCMT ref: 2D3924AA
                              • InterlockedIncrement.KERNEL32(2D3A9D98), ref: 2D3924B7
                              • __lock.LIBCMT ref: 2D3924CB
                              • ___addlocaleref.LIBCMT ref: 2D3924E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                              • API String ID: 1028249917-2843748187
                              • Opcode ID: 0a2c8bb1ce8cdf3d4986d16617102ea125d6c6ca675310569bed6a988638bd6d
                              • Instruction ID: 00bfd23a948f737fe5d3b16cca046ab8fbd70c0006a4f0d66943557c566ecef1
                              • Opcode Fuzzy Hash: 0a2c8bb1ce8cdf3d4986d16617102ea125d6c6ca675310569bed6a988638bd6d
                              • Instruction Fuzzy Hash: 3211DF74808B01AFD7218F35C840B9ABBF4FF10314F50C529E5A9B33A0CB349A40CB68
                              Function 2D387B60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 2D387B8E
                              • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 2D387C00
                              • CloseHandle.KERNEL32(00000000), ref: 2D387C10
                              • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 2D387C34
                              • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 2D387C98
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              • WritePrivateProfileStringA.KERNEL32(rename,?,?,?), ref: 2D387CDE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FullNamePath$CloseCreateDirectoryErrorFileFreeHandleHeapLastPrivateProfileStringWindowsWrite___sbh_find_block___sbh_free_block__lock
                              • String ID: NUL$\$rename$wininit.ini
                              • API String ID: 2841488213-281785890
                              • Opcode ID: f77f7ddf924487ab23edeb51e52314bded13a94c35c15c0a53022ec1fe50b1ae
                              • Instruction ID: 3cada10be5bb6e35f888bb74fea587270d61ede0fa47b53446cf0b1ece5d96cf
                              • Opcode Fuzzy Hash: f77f7ddf924487ab23edeb51e52314bded13a94c35c15c0a53022ec1fe50b1ae
                              • Instruction Fuzzy Hash: BC41A1B1904218BBDB21DB64CC85FEA77BDEF55710F1041A5E259F3191EAB09B84CF60
                              Function 2D379536 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 2D379540
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D380323: __EH_prolog3.LIBCMT ref: 2D38032A
                              • __CxxThrowException@8.LIBCMT ref: 2D379595
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • Path, xrefs: 2D379570
                              • Access64Bit, xrefs: 2D3795B3
                              • OPatchInstall: CActionRegistry::initFromElement starts, xrefs: 2D379550
                              • OPatchInstall: Will access the 32 bit view of the registry, xrefs: 2D379684
                              • OPatchInstall: Will access the 64 bit view of the registry, xrefs: 2D37967D
                              • OPatchInstall: CActionRegistry::initFromElement ends, xrefs: 2D379696
                              • OPatchInstall: Will process the path ', xrefs: 2D379610
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8FileH_prolog3H_prolog3_ThrowUserWrite
                              • String ID: Access64Bit$OPatchInstall: CActionRegistry::initFromElement ends$OPatchInstall: CActionRegistry::initFromElement starts$OPatchInstall: Will access the 32 bit view of the registry$OPatchInstall: Will access the 64 bit view of the registry$OPatchInstall: Will process the path '$Path
                              • API String ID: 1431807431-566466653
                              • Opcode ID: a5df6bd4623961213deb101d8fd9b307c5afc6a135cd5fca6e62ab1024e46b3c
                              • Instruction ID: 9e54f210cd7760c0f928f0b83e3fc4e389b3ecbd12be1a3f6910fd5250ee5c56
                              • Opcode Fuzzy Hash: a5df6bd4623961213deb101d8fd9b307c5afc6a135cd5fca6e62ab1024e46b3c
                              • Instruction Fuzzy Hash: 32412332A04604AADB11DB60CC80BFCB376FF79714F46C259D605B7296CB34AA81C7B6
                              Function 2D373392 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D3804F3: __EH_prolog3_GS.LIBCMT ref: 2D3804FD
                              • __CxxThrowException@8.LIBCMT ref: 2D3733E5
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • ComponentId, xrefs: 2D3733BC
                              • KeyPath, xrefs: 2D37348D
                              • OPatchInstall: CActionMsiGetComponentProperties::initFromElement starts, xrefs: 2D3733A0
                              • OPatchInstall: CActionMsiGetComponentProperties::initFromElement ends, xrefs: 2D37349C
                              • OPatchInstall: Will check for the ComponentId ', xrefs: 2D3733EA
                              • for product ', xrefs: 2D37342F
                              • ProductCode, xrefs: 2D37341C
                              • Exists, xrefs: 2D37347A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8FileH_prolog3_ThrowUserWrite
                              • String ID: ComponentId$Exists$KeyPath$OPatchInstall: CActionMsiGetComponentProperties::initFromElement ends$OPatchInstall: CActionMsiGetComponentProperties::initFromElement starts$OPatchInstall: Will check for the ComponentId '$ProductCode$for product '
                              • API String ID: 3074503020-716134250
                              • Opcode ID: d7cb55db6adf9dfed7ffb152f3259afccb49302aa159f9edf28b67a6e3218962
                              • Instruction ID: 2008b1e3f0e52e1ba2ae8619fe17eb94fbbfad0e1e063e31406db087d37b10c1
                              • Opcode Fuzzy Hash: d7cb55db6adf9dfed7ffb152f3259afccb49302aa159f9edf28b67a6e3218962
                              • Instruction Fuzzy Hash: 2A21D872348604775E2ADB10CCD0CFD661AEFF5548B4AC024EA52B725BCF34AE4586F9
                              Function 2D389B16 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 68libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D389B3A
                              • LoadLibraryA.KERNEL32(?,2D3612A4,2D361344,?,OPatchInstlal: Loading OGA dll from '), ref: 2D389B76
                              • GetLastError.KERNEL32 ref: 2D389B85
                              • GetProcAddress.KERNEL32(00000000,LegitCheck), ref: 2D389BAF
                              • GetLastError.KERNEL32 ref: 2D389BBA
                              • GetProcAddress.KERNEL32(SetPartnerID), ref: 2D389BE7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AddressErrorLastProc$Exception@8LibraryLoadThrow
                              • String ID: LegitCheck$OPatchInstlal: Loading OGA dll from '$SetPartnerID
                              • API String ID: 1197632057-2232419435
                              • Opcode ID: 321b6855017cca622e059680b965bc8b8c40f4a0c12cfa88b5b7fa5c253314e1
                              • Instruction ID: 646efa078c43c1e4cc1b91dd527a229c8e423d469a93cbdabcfbcd459293cbdb
                              • Opcode Fuzzy Hash: 321b6855017cca622e059680b965bc8b8c40f4a0c12cfa88b5b7fa5c253314e1
                              • Instruction Fuzzy Hash: D3216275A04105BBCB02DFA0CC849ED3BB9EB64741F018066EA01F7256EBB4DA40DBF9
                              Function 2D3861D4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • __CxxThrowException@8.LIBCMT ref: 2D38620C
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              • __CxxThrowException@8.LIBCMT ref: 2D386253
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw$DispatcherExceptionFileUserWrite
                              • String ID: ' is $OPatchInstall: CMSIProductVersion::getKeyPath() called$OPatchInstall: Product '$VersionMajor$installed$not installed
                              • API String ID: 3782066653-2208943399
                              • Opcode ID: 982c7d51477d1c51c4aea6ad314aa837387514ec29931a7f32028362f8c534c8
                              • Instruction ID: ca1f3e3e8c3a49960be25f80871f315f6d2c2b250d66cddefd8f1e2788154960
                              • Opcode Fuzzy Hash: 982c7d51477d1c51c4aea6ad314aa837387514ec29931a7f32028362f8c534c8
                              • Instruction Fuzzy Hash: 3C110536B046547ACA21D7A4CC80AFE726EDFF4504F1AC095E202F724ADA74AF0183F9
                              Function 2D3734B7 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D3804F3: __EH_prolog3_GS.LIBCMT ref: 2D3804FD
                              • __CxxThrowException@8.LIBCMT ref: 2D37350B
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • ProductName, xrefs: 2D373570
                              • OPatchInstall: CActionMsiGetProductProperties::initFromElement starts, xrefs: 2D3734C5
                              • OPatchInstall: CActionMsiGetProductProperties::initFromElement ends, xrefs: 2D37357F
                              • ProductCode, xrefs: 2D3734E2
                              • OPatchInstall: Will check for the Product Code ', xrefs: 2D373510
                              • Version, xrefs: 2D37355D
                              • Exists, xrefs: 2D37354A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8FileH_prolog3_ThrowUserWrite
                              • String ID: Exists$OPatchInstall: CActionMsiGetProductProperties::initFromElement ends$OPatchInstall: CActionMsiGetProductProperties::initFromElement starts$OPatchInstall: Will check for the Product Code '$ProductCode$ProductName$Version
                              • API String ID: 3074503020-2798100323
                              • Opcode ID: 64ba42268e9f2b354d2f247859d625175856bc5c89ae551dfe7576e4aa3e1557
                              • Instruction ID: c4f71aecdf91fd9f2d5ba51b8df830922b6ed5dffd5cc76b618e809040eac7b5
                              • Opcode Fuzzy Hash: 64ba42268e9f2b354d2f247859d625175856bc5c89ae551dfe7576e4aa3e1557
                              • Instruction Fuzzy Hash: 8721AE322485047B4A16EB10CC90CFE775AFBA5214B4AC025EA56F7256CF34AA4287E9
                              Function 2D37FB55 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 2D37FB5C
                                • Part of subcall function 2D37FAE1: __EH_prolog3_GS.LIBCMT ref: 2D37FAE8
                                • Part of subcall function 2D37FAE1: _wcsrchr.LIBCMT ref: 2D37FB0E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_$_wcsrchr
                              • String ID: SYS.ARGS$SYS.ERROR$SYS.LANG$SYS.MSI$SYS.PATCH$SYS.PROC$SYS.WIN
                              • API String ID: 780983759-822222514
                              • Opcode ID: 9308246278200e73b91d5b311333ef9ea4b6cfacef8e86861220956c7e065577
                              • Instruction ID: f7d081213616432c060ced7d35444e9e45dae3059755cd15c3da80855866cb2d
                              • Opcode Fuzzy Hash: 9308246278200e73b91d5b311333ef9ea4b6cfacef8e86861220956c7e065577
                              • Instruction Fuzzy Hash: 15216FBAC08A4A56EF54D7A8D841FED6378FB152A0F50C456EB40F70C6DA39D04586B8
                              Function 2D385F39 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathA.KERNEL32(00000103,?,2D361670,2D3A94F0,00000004), ref: 2D385F66
                              • GetLastError.KERNEL32 ref: 2D385F70
                              • __CxxThrowException@8.LIBCMT ref: 2D385F96
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • CreateFileA.KERNEL32(2D3A94F0,80000000,00000000,00000000,00000001,00000000,00000000), ref: 2D385FCD
                              • GetLastError.KERNEL32(?,?,?,?,2D3A1F6C), ref: 2D385FD8
                              Strings
                              • OPatchInstall: Could not create a path for the temp file, xrefs: 2D385FE5
                              • %sopatchinstall(%i).log, xrefs: 2D385FAE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorFileLast$CreateDispatcherExceptionException@8PathTempThrowUserWrite
                              • String ID: %sopatchinstall(%i).log$OPatchInstall: Could not create a path for the temp file
                              • API String ID: 244066722-719883549
                              • Opcode ID: 47dc587eca060ab023694eca46ddb68c4ad171f08eae060e44f308ddfb5814ec
                              • Instruction ID: 149dec6498bfb1f2ddbc81cf419cb66835bb67fdb614d35ebcf981d365a50849
                              • Opcode Fuzzy Hash: 47dc587eca060ab023694eca46ddb68c4ad171f08eae060e44f308ddfb5814ec
                              • Instruction Fuzzy Hash: 6711AF76D04108ABDB219B64CC84FFE77BDEB25754F0041A5F645F2282DB749E808FA9
                              Function 2D3982E8 Relevance: 13.6, APIs: 9, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 2D3982F8
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                                • Part of subcall function 2D397FE3: __getptd.LIBCMT ref: 2D397FEF
                                • Part of subcall function 2D397FE3: __amsg_exit.LIBCMT ref: 2D39800F
                              • getSystemCP.LIBCMT ref: 2D39830D
                                • Part of subcall function 2D398087: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 2D398096
                                • Part of subcall function 2D398087: GetOEMCP.KERNEL32(00000000,?), ref: 2D3980B0
                              • __malloc_crt.LIBCMT ref: 2D398323
                                • Part of subcall function 2D395236: Sleep.KERNEL32(00000000,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D,2D3A62C8,00000008), ref: 2D395257
                              • __setmbcp_nolock.LIBCMT ref: 2D398346
                                • Part of subcall function 2D398103: getSystemCP.LIBCMT ref: 2D39811E
                              • InterlockedDecrement.KERNEL32(?), ref: 2D39835E
                              • InterlockedIncrement.KERNEL32(00000000), ref: 2D398383
                              • __lock.LIBCMT ref: 2D39839E
                              • InterlockedDecrement.KERNEL32 ref: 2D398415
                              • InterlockedIncrement.KERNEL32(00000000), ref: 2D398439
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrementLocaleSystem__amsg_exit__getptd__lock$ErrorFreeHeapLastSleepUpdateUpdate::____sbh_find_block___sbh_free_block__getptd_noexit__malloc_crt__setmbcp_nolock
                              • String ID:
                              • API String ID: 3643110423-0
                              • Opcode ID: 3df9e2e73ded6d5034aa11ea323272c5362a18b9c62b6570e362b053742b4db6
                              • Instruction ID: 55a5f1c193cecf32e6a3e12c9689995ceb6b018329593bca42f8a0165a0f77e9
                              • Opcode Fuzzy Hash: 3df9e2e73ded6d5034aa11ea323272c5362a18b9c62b6570e362b053742b4db6
                              • Instruction Fuzzy Hash: 0E41CF75A08204ABDB019F78C8807D97BF8FF48354F518929D982FB391DB38D981CBA4
                              Function 2D38BF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: _memset$Exception@8H_prolog3_Throw
                              • String ID: ($VersionString$W
                              • API String ID: 2480781943-4079459477
                              • Opcode ID: 558555e4bcce9c251829ce4fc9931f8ed741b9f43fb5430781d5f4dcfef6da38
                              • Instruction ID: 5d5eef83544ec6b6b1fab3c8d77bca575f11f59cbab9f48095fac805898ccd13
                              • Opcode Fuzzy Hash: 558555e4bcce9c251829ce4fc9931f8ed741b9f43fb5430781d5f4dcfef6da38
                              • Instruction Fuzzy Hash: E1313072906228AAD721DB90CC84FEF7B7DEF15650F008195E309F7156DB709A84CFA1
                              Function 2D36F770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathA.KERNEL32(00000104,?), ref: 2D36F793
                              • GetLastError.KERNEL32 ref: 2D36F79D
                              • __CxxThrowException@8.LIBCMT ref: 2D36F7C3
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              • GetTempFileNameA.KERNEL32(?,OWP,00000000,?), ref: 2D36F7D7
                              • DeleteFileA.KERNEL32(?), ref: 2D36F7E2
                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 2D36F7EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FileTemp$CreateDeleteDirectoryDispatcherErrorExceptionException@8LastNamePathThrowUser
                              • String ID: OWP
                              • API String ID: 1319299049-437684616
                              • Opcode ID: 29b1fa34d9ccb81d06a30cb040f1ff0e9ac7c384e1e602b22a613856d2891ac5
                              • Instruction ID: cda4472a925f01eb7e136aaf6f11871dd1222fb439dff89d5c3a28be094a1925
                              • Opcode Fuzzy Hash: 29b1fa34d9ccb81d06a30cb040f1ff0e9ac7c384e1e602b22a613856d2891ac5
                              • Instruction Fuzzy Hash: 6D014C35E04219ABDB119B60CD49FEA77BCAF19B80F004095E645F6184DBB4DA848AEC
                              Function 2D381C7D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 167COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 2D381C87
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                                • Part of subcall function 2D37EEC5: __EH_prolog3.LIBCMT ref: 2D37EECF
                              • __CxxThrowException@8.LIBCMT ref: 2D381DA5
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                                • Part of subcall function 2D36D44F: char_traits.LIBCPMT ref: 2D36D474
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherErrorExceptionException@8FileFreeH_prolog3H_prolog3_HeapLastThrowUserWrite___sbh_find_block___sbh_free_block__lockchar_traits
                              • String ID: ' to value '$CSession::setProperty$OPatchInstall: Setting property '$SYS.ARGS
                              • API String ID: 2542246481-3239059933
                              • Opcode ID: 45c8ccb3fd19e5a320718020a4b1ea79f35cb0cf54211eb430bf2a77c3c6db5b
                              • Instruction ID: 5c4de2efab20d8cd9b5567f57f537b37ce6b729c85bd893bde709ece7d25ffbf
                              • Opcode Fuzzy Hash: 45c8ccb3fd19e5a320718020a4b1ea79f35cb0cf54211eb430bf2a77c3c6db5b
                              • Instruction Fuzzy Hash: 2851AD71D08218ABCF15DBA4CC90BEDBB79EF64300F118199E256B3195DF706A89CBA4
                              Function 2D39E572 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D39E579
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D39E596
                                • Part of subcall function 2D36DFA2: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DFAB
                              • __CxxThrowException@8.LIBCMT ref: 2D39E5A4
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              • RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?), ref: 2D39E623
                              • LoadLibraryA.KERNELBASE(?,?,?), ref: 2D39E6A0
                              • GetLastError.KERNEL32 ref: 2D39E6AC
                              • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 2D39E6DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception$Raise$DispatcherErrorException@8H_prolog3LastLibraryLoadThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: $$invalid string position
                              • API String ID: 1674345223-739374724
                              • Opcode ID: a7ad13a88237c0e190fd85da52cccd47ccf409acc6b007c1bd968e53eee6dba3
                              • Instruction ID: b50632d3e29d36f706cd775ccc77d647c938542fd5b5bf6564c18fe582a5c665
                              • Opcode Fuzzy Hash: a7ad13a88237c0e190fd85da52cccd47ccf409acc6b007c1bd968e53eee6dba3
                              • Instruction Fuzzy Hash: D1213971D01208AFCB14CFA9D980ADEB7F9EF48310F14842AE945F7340E774A944CB64
                              Function 2D37068A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 2D3706A4
                              • GetLastError.KERNEL32 ref: 2D3706B1
                              • __CxxThrowException@8.LIBCMT ref: 2D3706D9
                              • CloseHandle.KERNEL32(00000000,2D3612A4,' already exsits, will be renaming it to a temporary file,?,OPatchInstall: The file '), ref: 2D370723
                              Strings
                              • ' already exsits, will be renaming it to a temporary file, xrefs: 2D37070A
                              • OPatchInstall: The file ', xrefs: 2D3706F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CloseCreateErrorException@8FileHandleLastThrow
                              • String ID: ' already exsits, will be renaming it to a temporary file$OPatchInstall: The file '
                              • API String ID: 270997898-3382183290
                              • Opcode ID: 2ec8fd4015df4102da6a372a1cd7248c659132d7a85c6aa1ec3b56ae5626b1e0
                              • Instruction ID: 20434e2300cf42003ff5d7f0eedae62b2581dc4d3df48503009f8a2bab543854
                              • Opcode Fuzzy Hash: 2ec8fd4015df4102da6a372a1cd7248c659132d7a85c6aa1ec3b56ae5626b1e0
                              • Instruction Fuzzy Hash: C911E3366046047BEB159B70CC45DFE3B79EBA4561F018119FA02F6296CE789A4097A8
                              Function 2D36F994 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D36F99E
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D380323: __EH_prolog3.LIBCMT ref: 2D38032A
                              • __CxxThrowException@8.LIBCMT ref: 2D36F9EF
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • Path, xrefs: 2D36F9C6
                              • OPatchInstall: CActionFile::initFromElements ends, xrefs: 2D36FA5E
                              • OPatchInstall: CActionFile::initFromElement starts, xrefs: 2D36F9AA
                              • OPatchInstall: Will check for file ', xrefs: 2D36F9F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3$DispatcherExceptionException@8FileThrowUserWrite
                              • String ID: OPatchInstall: CActionFile::initFromElement starts$OPatchInstall: CActionFile::initFromElements ends$OPatchInstall: Will check for file '$Path
                              • API String ID: 3043255952-219723760
                              • Opcode ID: f470a4e526a291f3b7206f03f865a433e206b56a0cdf86f33d6c3636589200d1
                              • Instruction ID: 0a1ed77d35f902a74574873945d5cdfdf0ac8db819caab8a9a5466c482428411
                              • Opcode Fuzzy Hash: f470a4e526a291f3b7206f03f865a433e206b56a0cdf86f33d6c3636589200d1
                              • Instruction Fuzzy Hash: FC11A536A046406BCB25DB20CC909EC6722AFF1604F56C058E606F719ACB70AF468BE9
                              Function 2D36E8FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 2D36E90D
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • GetLastError.KERNEL32 ref: 2D36E96D
                              • __CxxThrowException@8.LIBCMT ref: 2D36E98A
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              • CloseHandle.KERNEL32(00000000), ref: 2D36E998
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CloseDispatcherErrorExceptionException@8FileHandleLastThrowUserWrite_memset
                              • String ID: OPatchInstall: ShellExec '$open
                              • API String ID: 1909066581-1602519316
                              • Opcode ID: f22378a65af64f23b998f110bb0d1e12009827b3a1c38234567107df1bb40327
                              • Instruction ID: 960a714a2288039fe0e087d5097ff36d7c384be0f2cf3b3c38e7578456e19166
                              • Opcode Fuzzy Hash: f22378a65af64f23b998f110bb0d1e12009827b3a1c38234567107df1bb40327
                              • Instruction Fuzzy Hash: 9711C236D00218BBCB10DBA0CC88AEE7BB9EFA0644F058015F601F6255DB349A41CBE8
                              Function 2D36F808 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 2D36F83D
                              • GetLastError.KERNEL32 ref: 2D36F847
                              • __CxxThrowException@8.LIBCMT ref: 2D36F86D
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              • GetTempFileNameA.KERNEL32(?,OPI,00000000,?), ref: 2D36F88A
                              • DeleteFileA.KERNEL32(?), ref: 2D36F895
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FileName$DeleteDispatcherErrorExceptionException@8FullLastPathTempThrowUser
                              • String ID: OPI
                              • API String ID: 3431453736-826062735
                              • Opcode ID: c1934c3f381732248b907f82aefb0d98abd9640b4ca61a4acc1302a9d858b2ef
                              • Instruction ID: 2e44b663a8790dd72b521bfb428c0bdb754fd183e55b7953b3597d30621fda5e
                              • Opcode Fuzzy Hash: c1934c3f381732248b907f82aefb0d98abd9640b4ca61a4acc1302a9d858b2ef
                              • Instruction Fuzzy Hash: 72115E31E00219ABDB15DB64CD46BEE77BCAF18744F004095E605F7284DB74AA84CFE8
                              Function 2D37FC29 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 2D37FC30
                                • Part of subcall function 2D37FAE1: __EH_prolog3_GS.LIBCMT ref: 2D37FAE8
                                • Part of subcall function 2D37FAE1: _wcsrchr.LIBCMT ref: 2D37FB0E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3_$_wcsrchr
                              • String ID: SYS.ARGS$SYS.ERROR$SYS.MSI$SYS.PATCH$SYS.WIN
                              • API String ID: 780983759-1584573799
                              • Opcode ID: a2ee7306c5c2c84fc76ea9368ceb23e267b7735e71516d44a4980a01976a13ac
                              • Instruction ID: 3730335ea60bae6046f6ee119ab77f09cee0fd567638cfef5dc04eda6141cb77
                              • Opcode Fuzzy Hash: a2ee7306c5c2c84fc76ea9368ceb23e267b7735e71516d44a4980a01976a13ac
                              • Instruction Fuzzy Hash: 21018062D0854559FB10D7B5EAC1BFD6778AF24244F10C114EA11F20D9EBB8E608CAB4
                              Function 2D36F552 Relevance: 10.5, APIs: 7, Instructions: 45fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,08000000,00000000), ref: 2D36F56B
                              • GetLastError.KERNEL32 ref: 2D36F578
                              • __CxxThrowException@8.LIBCMT ref: 2D36F595
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 2D36F59C
                              • GetLastError.KERNEL32 ref: 2D36F5AC
                              • CloseHandle.KERNEL32(00000000), ref: 2D36F5B5
                              • CloseHandle.KERNEL32(00000000), ref: 2D36F5BF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CloseErrorFileHandleLast$CreateException@8SizeThrow
                              • String ID:
                              • API String ID: 2650904697-0
                              • Opcode ID: 3a41a7136fc3c745f0813f4f809e8052e02a161f0bca6aa98f6645ff951c30a1
                              • Instruction ID: 6a23732d82fd1083ef0c15189de26edef1710e962dd05a875f61462556f150f8
                              • Opcode Fuzzy Hash: 3a41a7136fc3c745f0813f4f809e8052e02a161f0bca6aa98f6645ff951c30a1
                              • Instruction Fuzzy Hash: 0E012C36804154BBC7225F75DC0CE9A3FBCEB8AB61F108215FA25E6290DB345A00DAE8
                              Function 2D387770 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D387794
                              • LoadLibraryA.KERNEL32(?), ref: 2D38779C
                              • GetLastError.KERNEL32 ref: 2D3877AB
                              • GetProcAddress.KERNEL32(00000000,Expression), ref: 2D3877D0
                              • GetLastError.KERNEL32 ref: 2D3877DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorLast$AddressException@8LibraryLoadProcThrow
                              • String ID: Expression
                              • API String ID: 979385811-2540525009
                              • Opcode ID: 6868e78d3e0c8c67a1acf90dfdf7a5e996f6b403219d196460471f194866c32a
                              • Instruction ID: 481766e66a5f0e7c0a9671858a32ab1ee2965eb6e1d32d746b9d02e2866aa060
                              • Opcode Fuzzy Hash: 6868e78d3e0c8c67a1acf90dfdf7a5e996f6b403219d196460471f194866c32a
                              • Instruction Fuzzy Hash: 160100B5D08209BBDB12DF60C894ABE3BBDEB14641F008025F905E6216EB74D684CBA4
                              Function 2D383C96 Relevance: 9.1, APIs: 6, Instructions: 68fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 2D383CB3
                              • GetLastError.KERNEL32 ref: 2D383CC1
                              • __CxxThrowException@8.LIBCMT ref: 2D383CDE
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 2D383CE5
                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 2D383D1C
                              • CloseHandle.KERNEL32(?), ref: 2D383D2E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: File$CloseCreateErrorException@8HandleLastReadSizeThrow
                              • String ID:
                              • API String ID: 1554728870-0
                              • Opcode ID: 0b73bcc57c74e125c44d81350139b4b506fb1318a4564cb98920a8155934032a
                              • Instruction ID: 0cbfe824d19d54489a857f52f4ae48c70d12ee00c432b9a63b57b0d4caf94948
                              • Opcode Fuzzy Hash: 0b73bcc57c74e125c44d81350139b4b506fb1318a4564cb98920a8155934032a
                              • Instruction Fuzzy Hash: 19118175904208BFDB019FA4CC88DAE7FBCEB192A0B108525F955E7251E7349E449BA4
                              Function 2D3946FD Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __CreateFrameInfo.LIBCMT ref: 2D394725
                                • Part of subcall function 2D38F69E: __getptd.LIBCMT ref: 2D38F6AC
                                • Part of subcall function 2D38F69E: __getptd.LIBCMT ref: 2D38F6BA
                              • __getptd.LIBCMT ref: 2D39472F
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __getptd.LIBCMT ref: 2D39473D
                              • __getptd.LIBCMT ref: 2D39474B
                              • __getptd.LIBCMT ref: 2D394756
                              • _CallCatchBlock2.LIBCMT ref: 2D39477C
                                • Part of subcall function 2D38F743: __CallSettingFrame@12.LIBCMT ref: 2D38F78F
                                • Part of subcall function 2D394823: __getptd.LIBCMT ref: 2D394832
                                • Part of subcall function 2D394823: __getptd.LIBCMT ref: 2D394840
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                              • String ID:
                              • API String ID: 1602911419-0
                              • Opcode ID: 0a9946b08f7e2414ab9d955c98f971561d82cf2110e552643b4341efc1096828
                              • Instruction ID: 0743d555289be706589235156fe5dd447877b4f291d1ced118fc7f80ecf603f2
                              • Opcode Fuzzy Hash: 0a9946b08f7e2414ab9d955c98f971561d82cf2110e552643b4341efc1096828
                              • Instruction Fuzzy Hash: 151104B9C04209DFDB00DFA4C844AEDBBB0FF18324F51C469E955E7250EB389A109F54
                              Function 2D3805F7 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D380601
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              • __CxxThrowException@8.LIBCMT ref: 2D3806DE
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Strings
                              • OPatchInstall: Setting system property ', xrefs: 2D38060D
                              • ' with value ', xrefs: 2D380652
                              • CSession::setStandardProperty, xrefs: 2D3806C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorException@8FileFreeH_prolog3HeapLastThrowWrite___sbh_find_block___sbh_free_block__lock
                              • String ID: ' with value '$CSession::setStandardProperty$OPatchInstall: Setting system property '
                              • API String ID: 3434176583-579691053
                              • Opcode ID: cfd2021437de26023abee82646911bb74bf90ec6afe5ab20f7e06428bf0da2a4
                              • Instruction ID: 1e7d15f2a67bb248ec5dcdcc459aa76c41e08344a744e18d0206f18f5fdb1b40
                              • Opcode Fuzzy Hash: cfd2021437de26023abee82646911bb74bf90ec6afe5ab20f7e06428bf0da2a4
                              • Instruction Fuzzy Hash: 0641883190420AAACF15DFA0CC91AED7B75EF60214F11C1A9E616B71E6DB305F898BA4
                              Function 2D37F35D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37F367
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              Strings
                              • OPatchInstall: End of all properties, xrefs: 2D37F4A3
                              • OPatchInstall: Logging all properties, xrefs: 2D37F373
                              • ' value ', xrefs: 2D37F406
                              • OPatchInstall: Property ', xrefs: 2D37F3AF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FileH_prolog3Write
                              • String ID: ' value '$OPatchInstall: End of all properties$OPatchInstall: Logging all properties$OPatchInstall: Property '
                              • API String ID: 3581554285-1389568307
                              • Opcode ID: ca472d874844de1027e6a8b471c6b424c45a350723100b366b2d328b882ce02a
                              • Instruction ID: b1b984a3cba9b3fbcc2dccc79b4f7efe0b2ba870f6f2b7a4b767639a68765a69
                              • Opcode Fuzzy Hash: ca472d874844de1027e6a8b471c6b424c45a350723100b366b2d328b882ce02a
                              • Instruction Fuzzy Hash: 2A318032A046059BDB14DB50CC91AED73B6FF74304F5680A9D202F72E5DF34AE41CAA5
                              Function 2D388060 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32 ref: 2D3880C2
                              • CoTaskMemFree.OLE32(00000000), ref: 2D3880CB
                              • __CxxThrowException@8.LIBCMT ref: 2D3880F1
                              • CoTaskMemFree.OLE32(00000000), ref: 2D388105
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: FreeTask$ErrorException@8LastThrow
                              • String ID: A
                              • API String ID: 4082772262-3554254475
                              • Opcode ID: 7f9d91148af4b550367884fa76423bcc3feb82e8d2608ef02da5499b6dfe7645
                              • Instruction ID: d25dbb05741700df38ceada1defa2faa091ddd70e88c3b546efddd071a686bbb
                              • Opcode Fuzzy Hash: 7f9d91148af4b550367884fa76423bcc3feb82e8d2608ef02da5499b6dfe7645
                              • Instruction Fuzzy Hash: 85115176A01218BBCB11DF65DC48ADE77FCAF58740F008195E509E3241DB38AA44CBA8
                              Function 2D379742 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D379536: __EH_prolog3_GS.LIBCMT ref: 2D379540
                                • Part of subcall function 2D379536: __CxxThrowException@8.LIBCMT ref: 2D379595
                                • Part of subcall function 2D380323: __EH_prolog3.LIBCMT ref: 2D38032A
                              • __CxxThrowException@8.LIBCMT ref: 2D3797A0
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • Type, xrefs: 2D3797A9
                              • OPatchInstall: CActionWriteRegistry::initFromElement starts, xrefs: 2D379750
                              • OPatchInstall: CActionWriteRegistry::initFromElement ends, xrefs: 2D3797BC
                              • Data, xrefs: 2D379777
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw$DispatcherExceptionFileH_prolog3H_prolog3_UserWrite
                              • String ID: Data$OPatchInstall: CActionWriteRegistry::initFromElement ends$OPatchInstall: CActionWriteRegistry::initFromElement starts$Type
                              • API String ID: 1690020135-351268825
                              • Opcode ID: 7f47ce5a13d761a96ff5eef68bf5526c191a1853f56c063b4bea215ad72780d0
                              • Instruction ID: 959289446d0128867d82c9459709ff7481ab62ee7dc9bace261f58766a3fbfa2
                              • Opcode Fuzzy Hash: 7f47ce5a13d761a96ff5eef68bf5526c191a1853f56c063b4bea215ad72780d0
                              • Instruction Fuzzy Hash: 9B0128323046043B4A159B20CC90CFE3B1BEFB8158B4AC125FB46B7217DF35EA4286B5
                              Function 2D3923F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __decode_pointer.LIBCMT ref: 2D392402
                                • Part of subcall function 2D392305: TlsGetValue.KERNEL32(00000000,?,2D3923C0,?,2D390724), ref: 2D392317
                                • Part of subcall function 2D392305: TlsGetValue.KERNEL32(00000005,?,2D3923C0,?,2D390724), ref: 2D39232E
                              • TlsFree.KERNEL32(00000004,2D3928D1), ref: 2D392420
                              • DeleteCriticalSection.KERNEL32(00000000,00000000,KERNEL32.DLL,?,2D3928D1), ref: 2D3933A8
                              • DeleteCriticalSection.KERNEL32(00000004,KERNEL32.DLL,?,2D3928D1), ref: 2D3933D2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CriticalDeleteSectionValue$Free__decode_pointer
                              • String ID: KERNEL32.DLL
                              • API String ID: 73151052-2576044830
                              • Opcode ID: dccdefd02cdb7b0f9bf8db24b34a1529db0dcbcc49d3074b7cb823bfee2595de
                              • Instruction ID: fd3b8c3c3732cc2adbb13c6701d7e251354cac18b7ed718f92bde69d91e87e8f
                              • Opcode Fuzzy Hash: dccdefd02cdb7b0f9bf8db24b34a1529db0dcbcc49d3074b7cb823bfee2595de
                              • Instruction Fuzzy Hash: D1018072640601ABC7655B28C8C56A6B3F9EB417343A1461AE9F4B76F0CB398C828765
                              Function 2D3818CF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D36E1FC: __EH_prolog3.LIBCMT ref: 2D36E203
                              • __CxxThrowException@8.LIBCMT ref: 2D381930
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • OPatchInstall: CActionReboot::execute starts, xrefs: 2D3818DF
                              • OPatchInstall: Scheduling the reboot, xrefs: 2D3818F8
                              • OPatchInstall: The reboot is scheduled, xrefs: 2D381935
                              • OPatchInstall: CActionReboot::execute ends, xrefs: 2D381949
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8FileH_prolog3ThrowUserWrite
                              • String ID: OPatchInstall: CActionReboot::execute ends$OPatchInstall: CActionReboot::execute starts$OPatchInstall: Scheduling the reboot$OPatchInstall: The reboot is scheduled
                              • API String ID: 74031213-3592306054
                              • Opcode ID: bb2a788b02c1bee2156e66faf70c937ed970c8afa2168d4ea2ec2220a52e3cd4
                              • Instruction ID: 8d9da57280e3db32741ef6a1ea9f35e0fbb1885210ce7f4fe256d48c2ec4f9f0
                              • Opcode Fuzzy Hash: bb2a788b02c1bee2156e66faf70c937ed970c8afa2168d4ea2ec2220a52e3cd4
                              • Instruction Fuzzy Hash: F0F0367270462122D525AA35CC50EEF515F9FF1908F8AD019E602F619BDD785A4241F9
                              Function 2D394448 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 2D394462
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __getptd.LIBCMT ref: 2D394473
                              • __getptd.LIBCMT ref: 2D394481
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __getptd$__amsg_exit__getptd_noexit
                              • String ID: MOC$csm
                              • API String ID: 803148776-1389381023
                              • Opcode ID: f9f9dcfff0fae24ed862b18d4eada347b32ec052f356a63b91cdffcbbfd7a3ba
                              • Instruction ID: 2e9bb0e171f8a84a211fd0a9432ee4de9045b875d603f2ff387f54312e39e830
                              • Opcode Fuzzy Hash: f9f9dcfff0fae24ed862b18d4eada347b32ec052f356a63b91cdffcbbfd7a3ba
                              • Instruction Fuzzy Hash: 19E04F791141048FC7009FA5D445BA873A8FB78239F96C0A1D50DDB322D738D940D756
                              Function 2D379AC4 Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D379B09
                              • ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,?,?,00000000,00000002,00000000,?), ref: 2D379BF7
                              • GetLastError.KERNEL32(?,?,00000000,00000002,00000000,?), ref: 2D379C08
                              • ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,?,?,00000000,00000002,00000000,?), ref: 2D379C56
                              • GetLastError.KERNEL32(?,?,00000000,00000002,00000000,?), ref: 2D379C88
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: EnvironmentErrorExpandLastStrings$Exception@8Throw
                              • String ID:
                              • API String ID: 3874821722-0
                              • Opcode ID: b753053096963d46297761f6051045b68dd86a11a88fab3fff63dbe98b6de1c1
                              • Instruction ID: 6f0f15532dfdb7327d388084771b9d61f82d0afe9d632a2cc61af850243f39d4
                              • Opcode Fuzzy Hash: b753053096963d46297761f6051045b68dd86a11a88fab3fff63dbe98b6de1c1
                              • Instruction Fuzzy Hash: 27614A75D0864EAFDF01DFA4D891CFEBBB8EF18300B118169E601B7261DB759A04DBA4
                              Function 2D387F19 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentDirectoryA.KERNEL32(00000000,00000000), ref: 2D387F2C
                              • SetLastError.KERNEL32(00000008), ref: 2D387F49
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CurrentDirectoryErrorLast
                              • String ID:
                              • API String ID: 152501406-0
                              • Opcode ID: 29523339c5b730be5e0c765d46c4f56a11ef45bed742f66f1ca25cfd809ca0ac
                              • Instruction ID: 7e6c121b7f8712a63d1686c359aa108d2f8fe136732621f7c6755e67b323c8f1
                              • Opcode Fuzzy Hash: 29523339c5b730be5e0c765d46c4f56a11ef45bed742f66f1ca25cfd809ca0ac
                              • Instruction Fuzzy Hash: 1411E573808014BBCF122B26DC09F993B7AEF953A1F018061F659F51D2DF708A80CAE4
                              Function 2D397FE3 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 2D397FEF
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __amsg_exit.LIBCMT ref: 2D39800F
                              • __lock.LIBCMT ref: 2D39801F
                              • InterlockedDecrement.KERNEL32(?), ref: 2D39803C
                              • InterlockedIncrement.KERNEL32(010D1688), ref: 2D398067
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                              • String ID:
                              • API String ID: 4271482742-0
                              • Opcode ID: 787dfb0ad3f6d29a27bef0f4e1f89d76ba5bbc9cbb69f1297f9cdabb95506bff
                              • Instruction ID: 06d2929f6e89863a40afc79684a0c3de4bc2b8034f32b67f054897b33e76ff59
                              • Opcode Fuzzy Hash: 787dfb0ad3f6d29a27bef0f4e1f89d76ba5bbc9cbb69f1297f9cdabb95506bff
                              • Instruction Fuzzy Hash: 83019236E06A11BBD7529F65C40A7ED77B4FF44B60F118105EA10B7780DB38A940DBD5
                              Function 2D388C32 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D388C39
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D388C62
                                • Part of subcall function 2D36DFA2: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DFAB
                              • __CxxThrowException@8.LIBCMT ref: 2D388C70
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • invalid map/set<T> iterator, xrefs: 2D388C4A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: invalid map/set<T> iterator
                              • API String ID: 4068783259-152884079
                              • Opcode ID: d52b6a3c48c3c47cac4ff993b10aea5dfa9eb2edcf1c9e7d86a05886a9f64203
                              • Instruction ID: 4646ae061bcfb7dbf3c6f36c8f580d00bc84d293544ec94dd46ed7764a3b3464
                              • Opcode Fuzzy Hash: d52b6a3c48c3c47cac4ff993b10aea5dfa9eb2edcf1c9e7d86a05886a9f64203
                              • Instruction Fuzzy Hash: B5A18C7090A281DFD726CF24D580BA5BFF1BF55304F19C489D289AB297D3B6E885CB90
                              Function 2D38A4EB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D38A4F2
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D38A51B
                                • Part of subcall function 2D36DFA2: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DFAB
                              • __CxxThrowException@8.LIBCMT ref: 2D38A529
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • invalid map/set<T> iterator, xrefs: 2D38A503
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: invalid map/set<T> iterator
                              • API String ID: 4068783259-152884079
                              • Opcode ID: e670edc4af79bef4ca16c33c91d1d4bd0203187d9cd2422abf383cfc0695f912
                              • Instruction ID: 6842d45691cb65394fe1d033e586d8965155aa233236f840c29329beea83d9f5
                              • Opcode Fuzzy Hash: e670edc4af79bef4ca16c33c91d1d4bd0203187d9cd2422abf383cfc0695f912
                              • Instruction Fuzzy Hash: F5A16AB0A0C2959FDB02CF24C480B65BBE1BF19314F29C589D58AAF297C375E885CF94
                              Function 2D3749C2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D3749C9
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D3749F2
                                • Part of subcall function 2D36DFA2: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DFAB
                              • __CxxThrowException@8.LIBCMT ref: 2D374A00
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • invalid map/set<T> iterator, xrefs: 2D3749DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: invalid map/set<T> iterator
                              • API String ID: 4068783259-152884079
                              • Opcode ID: c59ecf06f617d55c9c5e61bd484d324ce52f0db6e8ce0279b2935063dce1976a
                              • Instruction ID: 0bdde11be562e8f53b36403988e667d3090883c4701c6694d8ba49e2e78e60a9
                              • Opcode Fuzzy Hash: c59ecf06f617d55c9c5e61bd484d324ce52f0db6e8ce0279b2935063dce1976a
                              • Instruction Fuzzy Hash: 7CA16FB0E08A91DFE742CF24C484B65BBF5BF19324F258588D1996B252C3B9FC85CB94
                              Function 2D37C8A2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37C8A9
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D37C8D2
                                • Part of subcall function 2D36DFA2: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DFAB
                              • __CxxThrowException@8.LIBCMT ref: 2D37C8E0
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              • invalid map/set<T> iterator, xrefs: 2D37C8BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: invalid map/set<T> iterator
                              • API String ID: 4068783259-152884079
                              • Opcode ID: 55d71ad8012f584b546e4251c9c3fdf131d57464754abaf664dc6d64e23f15be
                              • Instruction ID: f2c162d79a36b79132b77659d00b9cc7a5748b7364da75e4aee670dd6885bb3d
                              • Opcode Fuzzy Hash: 55d71ad8012f584b546e4251c9c3fdf131d57464754abaf664dc6d64e23f15be
                              • Instruction Fuzzy Hash: B5A16F70909A81DFF792CF64C584BA5BBF1BF16304F19C488D2896B257D37AE885CB90
                              Function 2D37D8ED Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37D8F7
                                • Part of subcall function 2D36D19F: __EH_prolog3.LIBCMT ref: 2D36D1A6
                              • __CxxThrowException@8.LIBCMT ref: 2D37D960
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                              Strings
                              • Parameter, xrefs: 2D37D903
                              • OPatchInstall: Will use the parameter ', xrefs: 2D37D9FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: H_prolog3$Exception@8FileThrowWrite
                              • String ID: OPatchInstall: Will use the parameter '$Parameter
                              • API String ID: 3235903053-1315047
                              • Opcode ID: c262fd85ba0b475b48642cc3215c881a1d7773d0ecb3c28349c83ad743924052
                              • Instruction ID: 77c0193b7644594b3277e1106e6e281c1290c98b2e009512bc97841d459215ac
                              • Opcode Fuzzy Hash: c262fd85ba0b475b48642cc3215c881a1d7773d0ecb3c28349c83ad743924052
                              • Instruction Fuzzy Hash: 8751AE71A0464ADFDF00CF94C880AEEBBB5FF55204F148068E606FB295CB349E45CBA0
                              Function 2D388F16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D388F1D
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D388F45
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D388F53
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: map/set<T> too long
                              • API String ID: 4068783259-1285458680
                              • Opcode ID: 25310a91d66e70fa3e4dc8cb45e6e3012eea5d00f5d982e5032dfe060d578e4e
                              • Instruction ID: 4ce1699f92581709ea0fbe9f5d8c7d1094cc6de98e39ff542add9796ceb9557f
                              • Opcode Fuzzy Hash: 25310a91d66e70fa3e4dc8cb45e6e3012eea5d00f5d982e5032dfe060d578e4e
                              • Instruction Fuzzy Hash: A34139766046409FD711CF58D584EA9BBF6BF59304F0A8088EA49AB393D772FC81CB91
                              Function 2D36E038 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D36E03F
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D36E067
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D36E075
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: map/set<T> too long
                              • API String ID: 4068783259-1285458680
                              • Opcode ID: 4b011b6c261ec8391850ffc900ab18900c26f1c6a842e51367896947056264f6
                              • Instruction ID: 3d6ee80794b1e5094a04f459ca28d0fbdfd2f01d933c2d2ee19968a4ac3a45b4
                              • Opcode Fuzzy Hash: 4b011b6c261ec8391850ffc900ab18900c26f1c6a842e51367896947056264f6
                              • Instruction Fuzzy Hash: 264134716042509FD701CF2AC484AA5BBF1BF19314F0AC188DA49AB7A6C771EC89CFE5
                              Function 2D38BA71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D38BA78
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D38BAA0
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D38BAAE
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: map/set<T> too long
                              • API String ID: 4068783259-1285458680
                              • Opcode ID: 698a6c8c2d52a9495d04485046b0de0a2ea6aa138b5ed436b678484fa2d863df
                              • Instruction ID: ab043f396945671ed3055fbb2a9f01a323f3e029f97fc1f1d1f7792caa04a15f
                              • Opcode Fuzzy Hash: 698a6c8c2d52a9495d04485046b0de0a2ea6aa138b5ed436b678484fa2d863df
                              • Instruction Fuzzy Hash: 104138716046459FD702CF18C0C4EA6BBF5BF19314F1A8188D54AAB7A7C7B5EC81CB90
                              Function 2D38198E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • ' to be extracted to ', xrefs: 2D381A12
                              • OPatchInstall: Adding the file with Id ', xrefs: 2D3819FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw_memset
                              • String ID: ' to be extracted to '$OPatchInstall: Adding the file with Id '
                              • API String ID: 3963884845-339039882
                              • Opcode ID: fd412d0d1d055fa3b8a4e825d329b1887bcaebfb261e355434b1aa453691deaf
                              • Instruction ID: f739ac3a33ee5256180834819249f7096d1ddda2df465a9e60b03a8391749609
                              • Opcode Fuzzy Hash: fd412d0d1d055fa3b8a4e825d329b1887bcaebfb261e355434b1aa453691deaf
                              • Instruction Fuzzy Hash: EF110833A0852436CA129E64CC40DEE3729DFB2664F46C215FE11FA2D6CE349B0143E5
                              Function 2D397D99 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(KERNEL32,2D3901BF), ref: 2D397D9E
                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 2D397DAE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: IsProcessorFeaturePresent$KERNEL32
                              • API String ID: 1646373207-3105848591
                              • Opcode ID: 4c23221a75755089949ff04ee5b0d545151481e804a78921f60f012bef2fe408
                              • Instruction ID: 2584ecfa318817557c4303a3b13e2f760911f25dab51d21ecaea10ddc5015913
                              • Opcode Fuzzy Hash: 4c23221a75755089949ff04ee5b0d545151481e804a78921f60f012bef2fe408
                              • Instruction Fuzzy Hash: 5BF03060944909A3DB001FA1E8097BF7B78BB81786F810990D292B01D8DF3580B4C299
                              Function 2D37A431 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32synchronizationCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D37A30F: PostMessageA.USER32(?,00008001,00000000,00000000), ref: 2D37A31A
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,2D3612A4,OPatchInstall: Closing the Dialog thread), ref: 2D37A466
                              • CloseHandle.KERNEL32(00000000), ref: 2D37A46F
                              Strings
                              • OPatchInstall: The dialog thread is closed, xrefs: 2D37A479
                              • OPatchInstall: Closing the Dialog thread, xrefs: 2D37A441
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CloseFileHandleMessageObjectPostSingleWaitWrite
                              • String ID: OPatchInstall: Closing the Dialog thread$OPatchInstall: The dialog thread is closed
                              • API String ID: 3185453390-2827411991
                              • Opcode ID: 9a33da27fe5ace1d6c8995181687dc2c304a6448e26b0fae31dae239d7eab018
                              • Instruction ID: c843ee3ee59eb520dc4a20c986960e42dd1544ed918d49d859183a8e7f927d0f
                              • Opcode Fuzzy Hash: 9a33da27fe5ace1d6c8995181687dc2c304a6448e26b0fae31dae239d7eab018
                              • Instruction Fuzzy Hash: 76F027333085117BCA125714CC80BBDF26AFBE0519F46C224E215B12A8CF381C9293D9
                              Function 2D370635 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37063C
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D37066A
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D370678
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: list<T> too long
                              • API String ID: 4068783259-4027344264
                              • Opcode ID: e1e8483606ff898c1a8b3f8e7c4c02071160dccaa535b3bad60ef7ae1214f805
                              • Instruction ID: d355200c47f56a925079b41b6259e8d047983b2c8be9238edcff08cfda807e4d
                              • Opcode Fuzzy Hash: e1e8483606ff898c1a8b3f8e7c4c02071160dccaa535b3bad60ef7ae1214f805
                              • Instruction Fuzzy Hash: 47F03077D1421496CB04DAB0C880ADD77B4EF78254F268524D604FB159E634DA45C7E4
                              Function 2D37FA5D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37FA64
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D37FA92
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D37FAA0
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: list<T> too long
                              • API String ID: 4068783259-4027344264
                              • Opcode ID: 6f365b701ab057823452bd5fb62f4e33722fb46a2df78d2ab6a0a9284f844b5e
                              • Instruction ID: d5a21a0aeadfb0f17fdf8e4f11db502999b18e9123cd9783bfdf506b69fcb06f
                              • Opcode Fuzzy Hash: 6f365b701ab057823452bd5fb62f4e33722fb46a2df78d2ab6a0a9284f844b5e
                              • Instruction Fuzzy Hash: E7F0A073D102049BCB04DAB0C880ADC73B4AF78310F268214DA04FB1C9E634DA05C7E4
                              Function 2D38B6B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D38B6B9
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D38B6D6
                                • Part of subcall function 2D36DF57: std::runtime_error::runtime_error.LIBCPMT ref: 2D36DF60
                              • __CxxThrowException@8.LIBCMT ref: 2D38B6E4
                                • Part of subcall function 2D38EE42: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 2D38EE84
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: DispatcherExceptionException@8H_prolog3ThrowUserstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                              • String ID: vector<T> too long
                              • API String ID: 4068783259-3788999226
                              • Opcode ID: 96f2b50a614e7422ec1249629f887a844c755b8575c1a0879420c9fecdbb3d02
                              • Instruction ID: 1faa81bf2442e9bed32f17938b225ba1f227d8dbba01f0212ea31bae360df047
                              • Opcode Fuzzy Hash: 96f2b50a614e7422ec1249629f887a844c755b8575c1a0879420c9fecdbb3d02
                              • Instruction Fuzzy Hash: 6ED0E272804108AADB04D6E0CC80AED73B8EB24200F568014E700BA099EA749A08C6B5
                              Function 2D36F368 Relevance: 6.3, APIs: 5, Instructions: 74stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenA.KERNEL32(?), ref: 2D36F383
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000001), ref: 2D36F3B0
                              • GetLastError.KERNEL32(?,00000001), ref: 2D36F3BB
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000001), ref: 2D36F3D4
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,00000001), ref: 2D36F3FA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLastlstrlen
                              • String ID:
                              • API String ID: 3322701435-0
                              • Opcode ID: 871f69aff593c73d29750939a852bc67324299fc608df63e833725462f9f4063
                              • Instruction ID: c5d9de8e5e76e16c545ce70ee2d750068f35ae2e001047925a5337059c65d45a
                              • Opcode Fuzzy Hash: 871f69aff593c73d29750939a852bc67324299fc608df63e833725462f9f4063
                              • Instruction Fuzzy Hash: 0C113036801128FBCF225F92CC44D9EBF7DEF457A0B118161FA04EA154D6318A11DBF4
                              Function 2D38EA25 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,231091CD,?,?,?,?,?,2D3A19AF,000000FF), ref: 2D38EA94
                              • GetLastError.KERNEL32(?,?,?,?,?,2D3A19AF,000000FF), ref: 2D38EAA0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide
                              • String ID:
                              • API String ID: 203985260-0
                              • Opcode ID: 0c2130176f6239e4763d195bebd036f1124e85245f79700872d46efbef578462
                              • Instruction ID: ca038201943ca38e0713b971baa4a670c982c377f703c35472c1825bf4b8a6de
                              • Opcode Fuzzy Hash: 0c2130176f6239e4763d195bebd036f1124e85245f79700872d46efbef578462
                              • Instruction Fuzzy Hash: E131FBB2F44205BBD7108F65CC46F6A77E8EB54F20F104229FA15F72C1D679E5008294
                              Function 2D39A4F8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 2D39A52C
                              • __isleadbyte_l.LIBCMT ref: 2D39A560
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,2D38FADD,?,00000000,00000000,?,?,?,?,2D38FADD), ref: 2D39A591
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,2D38FADD,00000001,00000000,00000000,?,?,?,?,2D38FADD), ref: 2D39A5FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                              • String ID:
                              • API String ID: 3058430110-0
                              • Opcode ID: e5eb2e83da889db1e4bc6dccfcaa2f0e3a07a6d136d94a841b9e9c7cf69fc5ff
                              • Instruction ID: 6a43bb291a7fa2d6b2cb3353ce2577a0952283052cce41dcb793adeb2fe9f4db
                              • Opcode Fuzzy Hash: e5eb2e83da889db1e4bc6dccfcaa2f0e3a07a6d136d94a841b9e9c7cf69fc5ff
                              • Instruction Fuzzy Hash: EE31A331B18245EFDB11CF64C8819FE7BB5FF01321F158669E9A5AB195E330D940DB50
                              Function 2D36F48A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorLast$Exception@8Throw
                              • String ID:
                              • API String ID: 4186728697-0
                              • Opcode ID: b8802fde3ce81e44d273283133ad32cc34a2d45d9f1eb7038a4c731946a80b79
                              • Instruction ID: 352c71a1269a09956156d9a3b9dc32a9c9ba3014d5c01264527b277a96f56e1a
                              • Opcode Fuzzy Hash: b8802fde3ce81e44d273283133ad32cc34a2d45d9f1eb7038a4c731946a80b79
                              • Instruction Fuzzy Hash: B321E735A05118BBCB129FA1CC09EDE7F7EFF05651B008060FA05E1254DB358A50EBA8
                              Function 2D3933F9 Relevance: 6.1, APIs: 4, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __FF_MSGBANNER.LIBCMT ref: 2D393415
                                • Part of subcall function 2D391985: __set_error_mode.LIBCMT ref: 2D391987
                                • Part of subcall function 2D391985: __set_error_mode.LIBCMT ref: 2D391994
                                • Part of subcall function 2D391985: __NMSG_WRITE.LIBCMT ref: 2D3919AC
                                • Part of subcall function 2D391985: __NMSG_WRITE.LIBCMT ref: 2D3919B6
                              • __NMSG_WRITE.LIBCMT ref: 2D39341C
                                • Part of subcall function 2D3917DA: __set_error_mode.LIBCMT ref: 2D39180B
                                • Part of subcall function 2D3917DA: __set_error_mode.LIBCMT ref: 2D39181C
                                • Part of subcall function 2D3917DA: _strcpy_s.LIBCMT ref: 2D391850
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D391861
                                • Part of subcall function 2D3917DA: GetModuleFileNameA.KERNEL32(00000000,2D3AABB1,00000104), ref: 2D39187D
                                • Part of subcall function 2D3917DA: _strcpy_s.LIBCMT ref: 2D391892
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D3918A5
                                • Part of subcall function 2D3917DA: __invoke_watson.LIBCMT ref: 2D3918E8
                                • Part of subcall function 2D390DAB: ___crtCorExitProcess.LIBCMT ref: 2D390DB3
                                • Part of subcall function 2D390DAB: ExitProcess.KERNEL32 ref: 2D390DBC
                              • __malloc_crt.LIBCMT ref: 2D393443
                                • Part of subcall function 2D395236: Sleep.KERNEL32(00000000,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D,2D3A62C8,00000008), ref: 2D395257
                              • __lock.LIBCMT ref: 2D393460
                                • Part of subcall function 2D392E82: __getptd_noexit.LIBCMT ref: 2D392E82
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __set_error_mode$__invoke_watson$ExitProcess_strcpy_s$FileModuleNameSleep___crt__getptd_noexit__lock__malloc_crt
                              • String ID:
                              • API String ID: 3046035180-0
                              • Opcode ID: 81ad7f97a8be10fbdf44ac9f09473db5e7103828070655728951246468e11896
                              • Instruction ID: 7dcd23ffb2415a9ca66b6ae7131dfa7555bf4a92e72d60f7aa303cec60ecdbd9
                              • Opcode Fuzzy Hash: 81ad7f97a8be10fbdf44ac9f09473db5e7103828070655728951246468e11896
                              • Instruction Fuzzy Hash: A01160B660C206A9E7166F70D842AAD63A4FB61724F53C039D391BB2C0DA7445818B51
                              Function 2D387E7F Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • SetLastError.KERNEL32(00000008), ref: 2D387E9A
                              • GetModuleFileNameA.KERNEL32(?,00000000,?), ref: 2D387EAC
                              • GetLastError.KERNEL32 ref: 2D387EB8
                              • SetLastError.KERNEL32(00000000), ref: 2D387EC8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorLast$FileModuleName
                              • String ID:
                              • API String ID: 1026760046-0
                              • Opcode ID: 89a26e8cc59f0c33defd9b3cea66c7dde511ef0d9da4d0e1cb32190f802b9d46
                              • Instruction ID: bdac560ee3b9850e996e492404620dccd43c9f7a76c0dd502e37bffafe1310ec
                              • Opcode Fuzzy Hash: 89a26e8cc59f0c33defd9b3cea66c7dde511ef0d9da4d0e1cb32190f802b9d46
                              • Instruction Fuzzy Hash: D0012E72808115BBCF122B25DC05EDE3BBAEFA5360F014065F615F6292EF3089A0DBA4
                              Function 2D387FC9 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • SetLastError.KERNEL32(00000008), ref: 2D387FE4
                              • GetTempPathA.KERNEL32(?,00000000), ref: 2D387FF3
                              • GetLastError.KERNEL32 ref: 2D387FFF
                              • SetLastError.KERNEL32(00000000), ref: 2D38800F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorLast$PathTemp
                              • String ID:
                              • API String ID: 3558416190-0
                              • Opcode ID: e556749e4208f76e2880dd34d4fa939c2dffa28094391cb9602776f76f217e07
                              • Instruction ID: 036fbfdc808cb7554773416b0896192f64bdd8de23b017231b244a23810e2b91
                              • Opcode Fuzzy Hash: e556749e4208f76e2880dd34d4fa939c2dffa28094391cb9602776f76f217e07
                              • Instruction Fuzzy Hash: B201F5B2809015BBCF122B24EC05EDE3B79EF553B1F014061F619F51D2EF708A80DAA4
                              Function 2D397C64 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                              • String ID:
                              • API String ID: 3016257755-0
                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                              • Instruction ID: 2ef324df24ac3f8c9f3617f72cf59e807ab471f4231ba61044c9a089b628c9c0
                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                              • Instruction Fuzzy Hash: 1D114BB204414ABBCF125F94DC42CEE3F66BB58294F458815FF58691B0D236CAB2EF81
                              Function 2D385E92 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBCMT ref: 2D385EBB
                              • CreateFileA.KERNEL32(2D3A94F0,C0000000,00000001,00000000,00000004,00000000,00000000,?), ref: 2D385ECF
                              • GetLastError.KERNEL32(?,C0000000,00000001,00000000,00000004,00000000,00000000,?,2D3A1F6C), ref: 2D385EE0
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 2D385F03
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: File$CreateErrorException@8LastPointerThrow
                              • String ID:
                              • API String ID: 588245994-0
                              • Opcode ID: 3caa63eebaa595ec30c50f1a0df590daa26a1b61f2167b7f5c2ce57ab6d03f1e
                              • Instruction ID: 5176cf659e1d2b3cde1f035aaf641b5502f843f98f1e53ba26b500c252f3416c
                              • Opcode Fuzzy Hash: 3caa63eebaa595ec30c50f1a0df590daa26a1b61f2167b7f5c2ce57ab6d03f1e
                              • Instruction Fuzzy Hash: 72019A36804744BBC720D774CC49EDF7BBCEB86B20F104299F261F21D1DB70A54586A8
                              Function 2D39874D Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 2D398759
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __getptd.LIBCMT ref: 2D398770
                              • __amsg_exit.LIBCMT ref: 2D39877E
                              • __lock.LIBCMT ref: 2D39878E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                              • String ID:
                              • API String ID: 3521780317-0
                              • Opcode ID: 03b8e0ba8ee43a43ecf1480b1e3a9b1819a43bb8209c59b989c4e17813e0c84e
                              • Instruction ID: 348752853776b6e1bffbd35073035aac5042d28b5edcbb04378d0c7e4341011b
                              • Opcode Fuzzy Hash: 03b8e0ba8ee43a43ecf1480b1e3a9b1819a43bb8209c59b989c4e17813e0c84e
                              • Instruction Fuzzy Hash: B8F09A36A48A009BD351ABB4C841BDC73E0FBA0720F92CA19E691B72D0CB389940EB51
                              Function 2D3946B2 Relevance: 6.0, APIs: 4, Instructions: 19COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch.LIBCMT ref: 2D3946B9
                              • __getptd.LIBCMT ref: 2D3946BE
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __getptd.LIBCMT ref: 2D3946E5
                              • __CxxThrowException@8.LIBCMT ref: 2D3946F7
                                • Part of subcall function 2D3950A1: __decode_pointer.LIBCMT ref: 2D3950B3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __getptd$Exception@8H_prolog3_catchThrow__amsg_exit__decode_pointer__getptd_noexit
                              • String ID:
                              • API String ID: 2601141776-0
                              • Opcode ID: 062e9d736ab92be418a01d710c2063309cb188e0219e317cb746a712188494dd
                              • Instruction ID: 2213c1f56021a2915a735193bd01cb4bdc4afc6f549dc4cec8993696535d6a6c
                              • Opcode Fuzzy Hash: 062e9d736ab92be418a01d710c2063309cb188e0219e317cb746a712188494dd
                              • Instruction Fuzzy Hash: 97E086BA5086049BF704ABB1C819BDC3260EF30325F16C15993597A2D2CA708980C756
                              Function 2D386374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D38633B: __CxxThrowException@8.LIBCMT ref: 2D38636D
                              • __CxxThrowException@8.LIBCMT ref: 2D3863BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: ' is '$OPatchInstall: Key path for component '
                              • API String ID: 2005118841-3441123739
                              • Opcode ID: 32c317cd6431b22fe2c1ecc8bb05954c1d592e55d28e4fd1840b7705a9df0bcd
                              • Instruction ID: f536bb82e6644bb692b002b605d36ada785119ceb16643b90827c5b75bfd991a
                              • Opcode Fuzzy Hash: 32c317cd6431b22fe2c1ecc8bb05954c1d592e55d28e4fd1840b7705a9df0bcd
                              • Instruction Fuzzy Hash: 42110336A086447BCB20D6A4CC80EFE777DEFB5604F468459E602F3196CB706A4587A5
                              Function 2D373284 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • std::bad_exception::bad_exception.LIBCMT ref: 2D3732B2
                              • __CxxThrowException@8.LIBCMT ref: 2D3732C0
                              Strings
                              • OPatchInstall: CMSIProductDetection created for ProductCode ', xrefs: 2D3732D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::bad_exception::bad_exception
                              • String ID: OPatchInstall: CMSIProductDetection created for ProductCode '
                              • API String ID: 953301-272183199
                              • Opcode ID: 0300f2fdd8ed1fb76651f2ba19ed087537551a352be9abc8d9c324664c7df499
                              • Instruction ID: 39fdff74e050d5d384371396544156452eb85d1e2f38dffe7084e68afe995dee
                              • Opcode Fuzzy Hash: 0300f2fdd8ed1fb76651f2ba19ed087537551a352be9abc8d9c324664c7df499
                              • Instruction Fuzzy Hash: C6014733B1821432CB08A224DC50DEE775ADBF0924F06C12AFA26F21D6DE70A65042E8
                              Function 2D37EEC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 2D37EECF
                                • Part of subcall function 2D385E3A: WriteFile.KERNEL32(FFFFFFFF,?,?,00000000,00000000,2D3A94F0,2D3A94F0,?,2D3732DE,OPatchInstall: CMSIProductDetection created for ProductCode ',?,?,?,?), ref: 2D385E68
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Strings
                              • ' used incorrectly in operation ', xrefs: 2D37EF20
                              • OPatchInstall: Property ', xrefs: 2D37EEDB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: ErrorFileFreeH_prolog3HeapLastWrite___sbh_find_block___sbh_free_block__lock
                              • String ID: ' used incorrectly in operation '$OPatchInstall: Property '
                              • API String ID: 236043024-410500087
                              • Opcode ID: 2981769a88d0904195fc9fb9f9b13e44af6af6f32e12d606bdd539c595c791b0
                              • Instruction ID: 59bc7998d2106dddad1f9b5ccbad63a50279ee8192455ae1ab5c0401ae702489
                              • Opcode Fuzzy Hash: 2981769a88d0904195fc9fb9f9b13e44af6af6f32e12d606bdd539c595c791b0
                              • Instruction Fuzzy Hash: 8411A031A042199BCF29DB20CC416EC7732EFB0715F128095D205BA1E5CF305F81DB69
                              Function 2D36DBA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,OPIUninitialize), ref: 2D36DBDC
                              • FreeLibrary.KERNEL32(?), ref: 2D36DBF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: OPIUninitialize
                              • API String ID: 3013587201-3377397007
                              • Opcode ID: a1b1c9f585ed1e9a311acce56c254422f4b168b4a3ac395114e206bcb2761778
                              • Instruction ID: bc87fe015029f7b84a3fac9fab9693b0cd3663590e63a4b4c6c6d725c3e748c7
                              • Opcode Fuzzy Hash: a1b1c9f585ed1e9a311acce56c254422f4b168b4a3ac395114e206bcb2761778
                              • Instruction Fuzzy Hash: 7C01213190411ABFCF45EF95DC90DEE7BB9FF25204F014065E512B32A9DB309A45CBA4
                              Function 2D387DCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39processCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 2D387DDE
                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 2D387E0C
                                • Part of subcall function 2D38F117: __lock.LIBCMT ref: 2D38F135
                                • Part of subcall function 2D38F117: ___sbh_find_block.LIBCMT ref: 2D38F140
                                • Part of subcall function 2D38F117: ___sbh_free_block.LIBCMT ref: 2D38F14F
                                • Part of subcall function 2D38F117: RtlFreeHeap.NTDLL(00000000,?,2D3A6180,0000000C,2D392583,00000000,?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C), ref: 2D38F17F
                                • Part of subcall function 2D38F117: GetLastError.KERNEL32(?,2D395247,?,00000001,?,?,2D393448,00000018,2D3A6310,0000000C,2D3934D9,?,?,?,2D39263D,0000000D), ref: 2D38F190
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: CreateErrorFreeHeapLastProcess___sbh_find_block___sbh_free_block__lock_memset
                              • String ID: D
                              • API String ID: 921166304-2746444292
                              • Opcode ID: 43ab215e9b923d8c5323db930b8106a308d5411ffb6e58bd5069c850a040a846
                              • Instruction ID: a6cd6e005921e8f7239368daf2b79ff3351ea83a4646ab733ef25dd0a302f7fd
                              • Opcode Fuzzy Hash: 43ab215e9b923d8c5323db930b8106a308d5411ffb6e58bd5069c850a040a846
                              • Instruction Fuzzy Hash: 2EF06D75801128ABDB209B60DC05EDEBB79EB14210F008152EA08F3280EA346E49CFA8
                              Function 2D394823 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 2D38F6F1: __getptd.LIBCMT ref: 2D38F6F7
                                • Part of subcall function 2D38F6F1: __getptd.LIBCMT ref: 2D38F707
                              • __getptd.LIBCMT ref: 2D394832
                                • Part of subcall function 2D392592: __getptd_noexit.LIBCMT ref: 2D392595
                                • Part of subcall function 2D392592: __amsg_exit.LIBCMT ref: 2D3925A2
                              • __getptd.LIBCMT ref: 2D394840
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2508402933.000000002D361000.00000020.00000001.01000000.00000003.sdmp, Offset: 2D360000, based on PE: true
                              • Associated: 00000000.00000002.2508356506.000000002D360000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508451994.000000002D3A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2d360000_AccessDatabaseuser.jbxd
                              Similarity
                              • API ID: __getptd$__amsg_exit__getptd_noexit
                              • String ID: csm
                              • API String ID: 803148776-1018135373
                              • Opcode ID: 2ad2863a9b49dce4497e55dd7acd28658ef6168b0d44ac2102e30996a0e3f681
                              • Instruction ID: b20028960c0681e868746c37ccc3c6e24f84a022f506111ede4afa6d1482b4e1
                              • Opcode Fuzzy Hash: 2ad2863a9b49dce4497e55dd7acd28658ef6168b0d44ac2102e30996a0e3f681
                              • Instruction Fuzzy Hash: E10186348087469BCB248F65C4516FCB3F5FF24331F51852DD546B62A1CB32CA91CB05